["Naveen Kumar Kaushik" <naveenk@xxxxxxxxxxxxx>]

Hi list

 

After Guy Harris comments I have updated this document which i will use to write flow chart for ethereal .

 

As i wrote earlier idea is to understand ethereal design without going in details of programming. 

I would like to make it very user friendly give you comment on whole or part of it.

 

Naveen

 

 

Packet Capturing

-------------------------

 

For Capturing the packet ethereal uses libpcap library so libpcap format is the native format

(Checkout www.tcpdump.org for details a nice tutorial is available at www.tcpdump.org/pcap.html  you can also refer pcap

 man  page on your OS)

 

When capturing, it finds out the DLT_ type by calling "pcap_datalink()"  (and, on AIX, checking to see if we got one of the

 bogus values that  AIX's "pcap_datalink()" returns and converting it to a *normal*  link-layer value).  "pcap_datalink()" gets

it from the pcap_t data structure; it's filled  in by "pcap_open_live()" (or "pcap_open_offline()", but Ethereal  doesn't use that) -

"pcap_open_live()" gets it by using whatever the  appropriate call is for the OS and packet capture mechanism is.

 

When saving packets from the File > Save As... menu item,  You can save file in different format like sniffer,sun snoop .

 

To Do: General discussion on what are the general differences in terms of information written in different file formats).
       I would like to find out between two different format only headers are different or the way packet bytes are written is also different)

       My guess is the general format is file header followed by packet bytes written sequentially. For file header the most important field type is

       link type since for any format this will be used to interpret the packet bytes after the header. Hi guys give more details on this specialy headers of different file typs)

 

 

Analysis of a captured file

-------------------------------------

 

Origin of capture file may be ethereal (ie previously captured file) or packet captured and saved using some other software (e.g. .enc file obtained using sniffer)

 

Once the file is opened using ethereal Following steps are performed (Let me know if i am right)

ethereal read the file header to find out  file header size,file format and link type)

 

Ethereal uses witretap library to call the dissector

In wireetap library link type is mapped to some numerical value. When a file is loaded uses this numerical value of link type to find out whether a discetor with this value is registered.

Registered means is there a routine available for this file type which parse through the packet and find out different field. (For writting a new discetor read readme.developer in ethereal source file).

 

As the packet is parsed From packet header other higher level protocols are found from the packet header and corresponding dissector are called .

 

Consider example of ethernet (Let me know if i am write)

 

            Suppose the packet is from ethernet link ,wiretap library calls ethernet dissector.

            from ethernet header it is found that packet is a ip packet so now ip dissector is called.

            from ip header it is found that it is a tcp packet so dissector for tcp is called

            from tcp header it find out its a http packet so http dissector will be called