Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: [Wireshark-users] Detecting protocol headers

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Rayne <hjazz6@xxxxxxxxx>
Date: Fri, 6 Mar 2009 01:01:51 -0800 (PST)

Hi,

I'm trying to understand how Wireshark is able to detect all the different protocol layers in a packet, e.g. Ethernet->IP->UDP->GTP->IP->TCP->Payload.

From what I've read, a protocol tree is first built that stores the parent-child relationships of the various protocols, then a dissector is called for each protocol. My question is how, say for the GTP packet, the UDP dissector knows to call the GTP dissector next. Does the UDP dissector make this call based on the port numbers, or by looking at subsequent bytes in the packet? And how does the TCP dissector know that there are no more headers after it? And in the more general sense, how does the current dissector know which dissector it should call next?

Thank you.

  • Follow-Ups:
    • Re: [Wireshark-users] Detecting protocol headers
      • From: Stephen Fisher
  • Prev by Date: Re: [Wireshark-users] Frame details
  • Next by Date: Re: [Wireshark-users] A simple question about Wireshark: confusion about OICQ
  • Previous by thread: Re: [Wireshark-users] A simple question about Wireshark: confusion about OICQ
  • Next by thread: Re: [Wireshark-users] Detecting protocol headers
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation