This is our old Q&A Site. Please post any new questions and answers at

Hello, community, I read the developer documentation about writing own plugins for Wireshark. However, there is still one thing I did not understand. Heuristic dissectors use some heuristics to see whether the packet in question is of the protocol they can dissect. But how do normal dissectors know? As far as I understood, they register on the special protocol header, but the exact procedure is not clear for me... Could anybody give a short explanation?

Best regards Ewgenij

asked 12 Nov '12, 07:58

Ewgenijkkg's gravatar image

accept rate: 60%

Depends on how the protocol works but it is common that the lower protocol has a dissector table in which the next protocol can register, see "internals->dissector tables" The Ethernet dissector has a table for etherypes where dissectors can register. If there is a dissector for the ethertype in question that will be called. If it's IP the IP dissector will be called, IP has a protocol field so that is used as a dissector table. If the next protocol is UDP the UDP dissector has a udp.port table and will cal the dissector registered for that port etc.

permanent link

answered 12 Nov '12, 08:31

Anders's gravatar image

Anders ♦
accept rate: 17%

Ah, Ok, I understand. Thank you. And what about this "see "internals->dissector tables""? Where can I find it? :)

(13 Nov '12, 00:24) Ewgenijkkg

Main menubar, next to help

(13 Nov '12, 00:27) Anders ♦

OK, thank you a lot!

(13 Nov '12, 00:57) Ewgenijkkg
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 12 Nov '12, 07:58

question was seen: 5,394 times

last updated: 13 Nov '12, 00:57

p​o​w​e​r​e​d by O​S​Q​A