Hi,
I'm trying to understand how Wireshark is able to detect all the different protocol layers in a packet, e.g. Ethernet->IP->UDP->GTP->IP->TCP->Payload.
From what I've read, a protocol tree is first built that stores the parent-child relationships of the various protocols, then a dissector is called for each protocol. My question is how, say for the GTP packet, the UDP dissector knows to call the GTP dissector next. Does the UDP dissector make this call based on the port numbers, or by looking at subsequent bytes in the packet? And how does the TCP dissector know that there are no more headers after it? And in the more general sense, how does the current dissector know which dissector it should call next?
Thank you. |
