Wireshark · Wireshark-dev: Re: [Wireshark-dev] proto tree

[Guy Harris <guy@xxxxxxxxxxxx>]

Amit Paliwal wrote:

> Thanks a lot for your response it really give more insight into it, I 
> just want to ask one more thing is it like for each protocol we have all 
> its attribute at one level like suppose ethernet, so all ethernet 
> attributes at one level than in next level all IP attributes like that.

Not necessarily.

A packet for a protocol might have a data structure inside it, and 
Wireshark might display a summary of the data structure at level N, with 
the individual fields of that structure at level N+1.  It's up to the 
author of the disssector for the protocol.

There will be an entry at level 1 (or, if you're a C or C++ programmer, 
level 0 :-)) for Ethernet or IP or TCP or..., and all attributes for 
Ethernet will be underneath the level 1 entry for Ethernet, but they 
might be at level 2, or level 3, or....