Hello, I understand that Wiretap passes the necessary information in pseudo-headers, but how does the following subdissections work? I mean, who finds out that an ethernet packet is IP, and from that, which one is TCP, and from that, which one belongs to whatever program...
Thanks, Ramiro Polla Quoting Jaap Keuter <[EMAIL PROTECTED]>: > Hi, > > Good question. For the answer you have to search further up the call > chain. Lets see: > file.c:add_packet_to_packet_list() > epan/epan.c:epan_dissect_run() > epan/packet.c:dissect_packet() > epan/dissectors/packet-frame.c:dissect_frame() > > So when reading packets from a capture file, metadata (like wtap_encap) is > available passed along with it for the frame dissector to use. It's up to > the capture engine writing this capture file metadate to put the right > stuff in there. > > Thanx, > Jaap > > On Sun, 29 Oct 2006 [EMAIL PROTECTED] wrote: > >> Hello, >> >> I've been studying Wireshark's source code for a while, but there's >> something I still don't understand. It's specifically about the inner >> workings of Epan. How does one dissectors knows and decides which >> subdissector is the correct one? >> >> Such as, how does "frame" know which "wtap_encap" is the correct one? >> Are there any probe functions around that I am missing? >> >> Thanks, >> Ramiro Polla >> > > _______________________________________________ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev > _______________________________________________ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev