Hello, community, I read the developer documentation about writing own plugins for Wireshark. However, there is still one thing I did not understand. Heuristic dissectors use some heuristics to see whether the packet in question is of the protocol they can dissect. But how do normal dissectors know? As far as I understood, they register on the special protocol header, but the exact procedure is not clear for me... Could anybody give a short explanation? Best regards Ewgenij asked 12 Nov '12, 07:58  Ewgenijkkg |
One Answer:
Depends on how the protocol works but it is common that the lower protocol has a dissector table in which the next protocol can register, see "internals->dissector tables" The Ethernet dissector has a table for etherypes where dissectors can register. If there is a dissector for the ethertype in question that will be called. If it's IP the IP dissector will be called, IP has a protocol field so that is used as a dissector table. If the next protocol is UDP the UDP dissector has a udp.port table and will cal the dissector registered for that port etc. answered 12 Nov '12, 08:31  Anders ♦ |
Ah, Ok, I understand. Thank you. And what about this "see "internals->dissector tables""? Where can I find it? :)
Main menubar, next to help
OK, thank you a lot!