Wireshark-dev: [Wireshark-dev] Detecting Protocol Headers
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Rayne <hjazz6@xxxxxxxxx>
Date: Mon, 9 Mar 2009 18:09:00 -0700 (PDT)
Hi,

I'm interested in understanding how Wireshark detects protocol headers in a packet and peels off each layer to get to the payload.

I took a look at packet-udp.c and packet-ip.c, and am wondering where I can find the definitions of the following functions:

call_dissector()
dissector_add()
dissector_try_heuristic()
dissector_try_port()
register_dissector_table()
register_heur_dissector_list()

and the following structures:
dissector_table_t
heur_dissector_list_t
dissector_handle_t

Also, where are the UDP ports and list of heuristic dissectors tried by the UDP dissector defined? >From what I can understand from packet-udp.c, the structures udp_dissector_table and heur_subdissector_list are first defined and registered in the file packet-udp.c itself. So how would the UDP dissector know which sub-dissector and UDP ports to try next in order to call the next dissector? Also, are the dissectors in the heuristics list determined by statistics? For example, if say Protocol A follows Protocol B 80% of the time from traffic observed, then Protocol A is included in the heuristic list of dissector to try by Protocol B?

And am I right to say that the protocol tree is built before the first packet is captured, when all the protocol dissectors are registered? In other words, as each dissector is registered, they are added to the protocol tree accordingly. So if I were to add a new dissector, say, Ethernet -> IP -> new_protocol -> TCP -> Payload, I would have to add this new protocol such that it extends from the IP branch? And this is done by calling the function dissect_new_protocol and using the corresponding argument "tree"? Also, it appears that dissector_add() would be called so that the IP -> new_protocol relationship can be established?

Where can I find an example where dissect-protocol() is called?

I also noticed that in packet-ip.c, the function dissector_try_port() is called. However, it appears that the "port" used here is the protocol field. Without seeing the definition for dissector_try_port(), I'm guessing that the second argument of this function is the search critieria, and for UDP (and presumably TCP), it's the source/destination ports, whereas for IP, it's the protocol field. Is this correct?

Thank you and sorry for the long post and questions!