Correct.
The dissector_add() lines registers the ip dissector for those
transports which transports ip.
It just registers dissect_ip() in some external dissector tables.
Look inside packet-eth.c you will see the dissector table for things
running ontop of ethereanet and see soemthing liek
dissector_try_port() that will call the dissector registered in that
table.
On Fri, 8 Apr 2005 02:25:56 -0700 (PDT), linux lover
<linux_lover2004@xxxxxxxxx> wrote:
> hello,
> Thanks for understanding me the various packets
> handled by ip protocol.
> I have one more query in following function
> void proto_reg_handoff_ip(void)
> {
> dissector_handle_t ip_handle;
>
> data_handle = find_dissector("data");
> ip_handle = find_dissector("ip");
>
> dissector_add("ethertype", ETHERTYPE_IP,
> ip_handle);
> dissector_add("ppp.protocol", PPP_IP,
> ip_handle);
> So can i say in simple words that
> dissector_add is used when ethereal got packets from
> ppp interface or IP packets from NIC,then use
> dissect_ip function in above case.
> Please correct me.
>
> Thanks for help.
> regards,
> linux_lover.
>
> --- Guy Harris <gharris@xxxxxxxxx> wrote:
> > LEGO wrote:
> >
> > >> dissector_add("ppp.protocol",
> > ETHERTYPE_IP,
> > >>ip_handle);
> > >
> > >
> > > a different way to do IP over PPP (?)
> >
> > More like "a different way of constructing a network
> > stack", i.e.
> > Microsoft's way of constructing it, in which
> > everything above the link
> > layer expects packets that look like Ethernet
> > packets, and there's a
> > "glue layer" (NDISWAN) that translates between PPP
> > and Ethernet packets,
> > and, apparently, you can, when capturing with
> > WinPcap, see packets with
> > PPP headers with Ethernet types rather than PPP
> > types in the prtoocol field.
> >
> > >> dissector_add("null.type", BSD_AF_INET,
> > ip_handle);
> > >
> > > IP over .... a null socket type????
> >
> > IP over BSD loopback interfaces; the DLT_ name for
> > that is DLT_NULL.
> > There's really nothing "null" about it - there's a
> > link-layer header for
> > them, containing a 4-byte BSD address family value.
> >
> > >> dissector_add("chdlctype", ETHERTYPE_IP,
> > ip_handle);
> > >
> > > IP over ????
> >
> > IP over "Cisco HDLC", a pre-PPP Cisco scheme for
> > encapsulating packets
> > on a synchronous serial line.
> >
> > >> dissector_add("osinl.excl", NLPID_IP,
> > ip_handle);
> > >
> > > IP over OSI Network Layer???
> >
> > IP over the same layering scheme used for the OSI
> > networking layer, with
> > a 1-byte protocol type field.
> >
> > >> dissector_add("wtap_encap", WTAP_ENCAP_RAW_ICMP,
> > >>icmp_handle);
> > >
> > >
> > >> First one is ok that ICMP packet
> > processed
> > >>IP header and then giving data part to ICMP but
> > what
> > >>is other thing wtap_encap?
> > >
> > > This I realy do not know, it might well be ICMP
> > found raw in a pcap
> > > file by wiretap.
> >
> > Yes, it's raw ICMP in HP-UX nettl files.
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> >
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
