Wireshark-dev: Re: [Wireshark-dev] How does the wireshark identify the corresponding protocol a
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 22 Dec 2008 12:57:16 -0800

On Dec 21, 2008, at 10:16 PM, Yuming fang wrote:

I am adding a new protocol to wireshark. When I add the new protocol, there are some basic questions I could not understand as follows.

(1) When capturing data from netcard, how does the wireshark choose the protocol dissector to process the data?

Wireshark does not, itself, capture data. It runs a program that comes with Wireshark, named dumpcap; dumpcap writes packets to a capture file, and sends messages to Wireshark over a pipe to tell it that new packets have been written to the file. Wireshark then reads the packets from the file.

Dumpcap writes the file out in libpcap format, which is Wireshark's native format. At the beginning of a libpcap-format file is a file header that includes a link-layer type value.

Wireshark's code to read capture files maps the link-layer type values in the file to its own set of link-layer type values; it can read many different types of capture files, including but not limited to libpcap format, and the different capture file types have different link-layer type values - the Wireshark code (the Wiretap library) maps those to a single set of type values, so the dissecting code doesn't have to know the details about libpcap or Network Monitor or Sniffer or... link- layer type values.

For example, if wireshark receive the tcp data, how could it know these data is tcp data and thus choose tcp protocol dissector to process these data?

Well, TCP data is usually carried inside an IPv4 or IPv6 packet, which is carried inside an Ethernet or 802.11 or PPP or... packet.

Wireshark will first look at the link-layer type value and call the appropriate dissector for that. That dissector will determine what the next protocol to dissect is; for example, with Ethernet, it'll look at the Ethernet type value (for packets with a type value) and call the appropriate dissector for that. For an Ethernet type value of hex 0800, that will be the IPv4 dissector. The IPv4 dissector will look at the protocol field in the IPv4 header and call the appropriate dissector, such as the ICMP or TCP or UDP or... dissector.

(2) I want to use wireshark to process the LTE data(Actually mainly display the LTE data format in wireshark). Now we have written some code. However, we have not the LTE netcard. So I want to send the LTE data through TCP socket(Port is 9999) and thus wireshark could receive the LTE data through the TCP(Port:9999). Now I could get these LTE data, but how could I let the wireshark display the LET data format like a tree? How could I add the LTE code into the TCP(Port:9999) to process the LET data?

You would write a dissector for the LTE data, and have it register with the "tcp.port" dissector table with the value 9999, so that it'll be called by the TCP dissector for packets to or from port 9999.