Wireshark-dev: Re: [Wireshark-dev] How does the wireshark identify the corresponding protocol a
On Dec 21, 2008, at 10:16 PM, Yuming fang wrote:
I am adding a new protocol to wireshark. When I add the new
protocol, there are some basic questions I could not understand as
follows.
(1) When capturing data from netcard, how does the wireshark choose
the protocol dissector to process the data?
Wireshark does not, itself, capture data. It runs a program that
comes with Wireshark, named dumpcap; dumpcap writes packets to a
capture file, and sends messages to Wireshark over a pipe to tell it
that new packets have been written to the file. Wireshark then reads
the packets from the file.
Dumpcap writes the file out in libpcap format, which is Wireshark's
native format. At the beginning of a libpcap-format file is a file
header that includes a link-layer type value.
Wireshark's code to read capture files maps the link-layer type values
in the file to its own set of link-layer type values; it can read many
different types of capture files, including but not limited to libpcap
format, and the different capture file types have different link-layer
type values - the Wireshark code (the Wiretap library) maps those to a
single set of type values, so the dissecting code doesn't have to know
the details about libpcap or Network Monitor or Sniffer or... link-
layer type values.
For example, if wireshark receive the tcp data, how could it know
these data is tcp data and thus choose tcp protocol dissector to
process these data?
Well, TCP data is usually carried inside an IPv4 or IPv6 packet, which
is carried inside an Ethernet or 802.11 or PPP or... packet.
Wireshark will first look at the link-layer type value and call the
appropriate dissector for that. That dissector will determine what
the next protocol to dissect is; for example, with Ethernet, it'll
look at the Ethernet type value (for packets with a type value) and
call the appropriate dissector for that. For an Ethernet type value
of hex 0800, that will be the IPv4 dissector. The IPv4 dissector will
look at the protocol field in the IPv4 header and call the appropriate
dissector, such as the ICMP or TCP or UDP or... dissector.
(2) I want to use wireshark to process the LTE data(Actually mainly
display the LTE data format in wireshark). Now we have written some
code. However, we have not the LTE netcard. So I want to send the
LTE data through TCP socket(Port is 9999) and thus wireshark could
receive the LTE data through the TCP(Port:9999). Now I could get
these LTE data, but how could I let the wireshark display the LET
data format like a tree? How could I add the LTE code into the
TCP(Port:9999) to process the LET data?
You would write a dissector for the LTE data, and have it register
with the "tcp.port" dissector table with the value 9999, so that it'll
be called by the TCP dissector for packets to or from port 9999.