Hello,
I understand that Wiretap passes the necessary information in
pseudo-headers, but how does the following subdissections work? I
mean, who finds out that an ethernet packet is IP, and from that,
which one is TCP, and from that, which one belongs to whatever
program...
Thanks,
Hi,
Ah, so all is clear on the wiretap front. Well from there on (look in
packet-frame.c) the frame dissector looks in wtap_encap_dissector_table
for the dissector handling Ethernet (in this case). This dissector (see
packet-eth.c) has registered itself during startup in this table (search
for
Hello,
I think I get it now. It is not the higher level dissectors that
actively search for lower lever dissectors in their source file. It is
the lower level dissectors that register themselves with all possible
higher lever dissectors where they might occur. So the packet-*.c
files
Hi,
See the frame dissector in packet-frame.c for instance. It uses this line:
if (!dissector_try_port(wtap_encap_dissector_table, pinfo-fd-lnk_t,
tvb, pinfo, parent_tree)) {
It uses wtap_encap_dissector_table to search for the pinfo-fd-lnk_t
entry and calls that dissector (oke it's
Hello,
I've been studying Wireshark's source code for a while, but there's
something I still don't understand. It's specifically about the inner
workings of Epan. How does one dissectors knows and decides which
subdissector is the correct one?
Such as, how does frame know which wtap_encap
Hi,
Good question. For the answer you have to search further up the call
chain. Lets see:
file.c:add_packet_to_packet_list()
epan/epan.c:epan_dissect_run()
epan/packet.c:dissect_packet()
epan/dissectors/packet-frame.c:dissect_frame()
So when reading packets from a capture file, metadata (like