This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is the meaning of subdissector? what is the relationship between a dissector and their subdissectors?

1

Hi, I'm a newcomer of wireshark.I want to know what the meaning of subdissector, what the relationship between a dissector and their subdissectors.

Thank's a lot!

asked 03 Mar '13, 00:47

qqgeet's gravatar image

qqgeet
21226
accept rate: 0%

edited 03 Mar '13, 03:42

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

2

Basically a dissector and a sub-dissector are two names for the same thing. A dissector dissects protocol headers for a certain protocol. When it comes to dissecting the payload it will hand over the remaining data to the next dissector which is then called a sub-dissector from the point of view from the dissector.

So if you have a frame like this "ETH->IP->TCP->HTTP", the following relations will exist:

  • Dissector: Ethernet, Subdissector: IP
  • Dissector: IP, Subdissector: TCP
  • Dissector: TCP, Subdissector: HTTP

And for an ICMP destination unreachable frame, it can be like this "ETH->IP->ICMP->IP" which results in the following relationships:

  • Dissector: Ethernet, Subdissector: IP
  • Dissector: IP, Subdissector: ICMP
  • Dissector: ICMP, Subdissector: IP

As you can see, the same dissector (IP) can be a dissector and a sub-dissector. It all depends on the view :-)

answered 03 Mar '13, 11:09

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thank you!

(converted to a comment in keeping with the way ask.wireshark.org works. Please see the FAQ).

(03 Mar '13, 18:13) qqgeet