On Fri, Mar 06, 2009 at 01:01:51AM -0800, Rayne wrote:
> From what I've read, a protocol tree is first built that stores the
> parent-child relationships of the various protocols, then a dissector
> is called for each protocol. My question is how, say for the GTP
> packet, the UDP dissector knows to call the GTP dissector next. Does
> the UDP dissector make this call based on the port numbers, or by
> looking at subsequent bytes in the packet? And how does the TCP
> dissector know that there are no more headers after it? And in the
> more general sense, how does the current dissector know which
> dissector it should call next?
Take a look at epan/dissectors/packet-udp.c in the source code. In
particular, the decode_udp_ports() function. The UDP dissector follows
the general method for finding the next dissector to call. In the case
of UDP, it uses the port number to find which dissector(s) has
registered itself on that udp port and then calls it. If there is more
than one, it is expected that each one will do a heuristic check of
(usually) the first few bytes of the packet to determine if it should
accept the packet and if not, Wireshark gives it to the next dissector
registered on that port to see if it will accept it with a heuristic
check.
Steve