Wireshark-users: Re: [Wireshark-users] Detecting protocol headers

From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Fri, 6 Mar 2009 11:08:28 -0700

On Fri, Mar 06, 2009 at 01:01:51AM -0800, Rayne wrote:

> From what I've read, a protocol tree is first built that stores the 
> parent-child relationships of the various protocols, then a dissector 
> is called for each protocol. My question is how, say for the GTP 
> packet, the UDP dissector knows to call the GTP dissector next. Does 
> the UDP dissector make this call based on the port numbers, or by 
> looking at subsequent bytes in the packet? And how does the TCP 
> dissector know that there are no more headers after it? And in the 
> more general sense, how does the current dissector know which 
> dissector it should call next?

Take a look at epan/dissectors/packet-udp.c in the source code.  In 
particular, the decode_udp_ports() function.  The UDP dissector follows 
the general method for finding the next dissector to call.  In the case 
of UDP, it uses the port number to find which dissector(s) has 
registered itself on that udp port and then calls it.  If there is more 
than one, it is expected that each one will do a heuristic check of 
(usually) the first few bytes of the packet to determine if it should 
accept the packet and if not, Wireshark gives it to the next dissector 
registered on that port to see if it will accept it with a heuristic 
check.


Steve