Wireshark-dev: Re: [Wireshark-dev] Packet Type detection
From: Jaap Keuter <[email protected]>
Date: Tue, 21 Nov 2006 15:41:34 +0100 (CET)
Hi Piotr,

The thing is, it's not one place where these decisions are made, there is
a string of decisions, all the way up the protocol stack.

Let's take an RTP packet comming in over Ethernet.

First there's a frame, which is fead to the frame dissector. It looks at
the first couple of octets and guesses, according to the contents, that
it's EthernetII. It passes the rest of the frame to the Ethernet
dissector.

The Ethernet dissector looks in the first couple of bytes and knows from
the type field that it's an IP packet. It then hands the rest of the frame
to the IP dissector.

The IP dissector looks in the first couple of bytes and knows from the
protocol field that is's an UDP packet. It then hands the rest of the
frame to the UDP dissector.

The UDP dissector has no clue about the payload, so here things get
creative. A few selection mechanisms are available to select the right
dissector for the payload. There could be information retrieved from
earlier packets which suggest a certain payload. This is the conversation
concept. Another way is to just try. The UDP dissector gives every
interested dissector a chance to see if it recognizes the payload and then
accept it for furhter dissection. This heuristic dissection could go wrong
of course.

Lets say the RTP dissector gets a go at it. It sees the first few bytes
and they match the signature of a RTP packet. Then it takes the whole
packet and dissects it for you.

In all these steps decisions are made based on the specifications of the
perticular protocol.

Thanx,
Jaap




On Tue, 21 Nov 2006, [iso-8859-2] Piotr W?jcicki wrote:

> As I understand, when Wireshark knows what protocol it is dealing with, it passes the data to appropriate dissector to decode
> The packet. Could you please direct me to a piece of code, where this detection is actually done ? Where does wireshark detect
> that it should use IP Dissector, then TCP Dissector and so on ?
>
> Thank you
> Piotr W??jcicki
> _______________________________________________
> Wireshark-dev mailing list
> [email protected]
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>