Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Help understanding Epan's dissectors

Date: Mon, 30 Oct 2006 09:40:49 -0500
Hello,

I understand that Wiretap passes the necessary information in pseudo-headers, but how does the following subdissections work? I mean, who finds out that an ethernet packet is IP, and from that, which one is TCP, and from that, which one belongs to whatever program...

Thanks,
Ramiro Polla

Quoting Jaap Keuter <jaap.keuter@xxxxxxxxx>:

Hi,

Good question. For the answer you have to search further up the call
chain. Lets see:
file.c:add_packet_to_packet_list()
epan/epan.c:epan_dissect_run()
epan/packet.c:dissect_packet()
epan/dissectors/packet-frame.c:dissect_frame()

So when reading packets from a capture file, metadata (like wtap_encap) is
available passed along with it for the frame dissector to use. It's up to
the capture engine writing this capture file metadate to put the right
stuff in there.

Thanx,
Jaap

On Sun, 29 Oct 2006 angustia@xxxxxxxxxxxxxxxxxx wrote:

Hello,

I've been studying Wireshark's source code for a while, but there's
something I still don't understand. It's specifically about the inner
workings of Epan. How does one dissectors knows and decides which
subdissector is the correct one?

Such as, how does "frame" know which "wtap_encap" is the correct one?
Are there any probe functions around that I am missing?

Thanks,
Ramiro Polla


_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev