Wireshark-dev: Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers

From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Mon, 9 Mar 2009 16:27:04 -0800
On 3/9/09, Ulisses Araújo Costa <ulissesaraujocosta@xxxxxxxxx> wrote:
> On Mon, Mar 9, 2009 at 23:40, Richard Sharpe
>  <realrichardsharpe@xxxxxxxxx> wrote:
>  > On Mon, Mar 9, 2009 at 3:34 PM, Ulisses Araújo Costa
>  > <ulissesaraujocosta@xxxxxxxxx> wrote:
>  >> I Just want to know what is the function with that I can read a
>  >> tcpdump file and return the structure of a packet...
>  >
>  > The problem is, that is not the way Ethereal works. There is never a
>  > structure carried around that contains the packet as a set of broken
>  > down fields, protocol by protocol.
>  >
>
>
> No!? Can you explain to me the way Wireshark works?

I have written a number of the dissectors in Ethereal/Wireshark,
including the SMB dissector.

The packets are read in as an array of bytes (actually, they are kept
in a TVB, but that is an aside).

The first dissector that gets them is the pcap dissector. It extracts
the fields it needs (and adds them to the protocol tree as it goes) to
figure out what the next layer is, and calls the next dissector
through a table usually.

At each layer it extracts the fields it needs and puts them into the
protocol tree or the columns, however, there is no library that allows
you to parse a packet and then say:

   give me the value of the field tcp.flags or smb.fid or so forth

Ethereal is not organized that way.

The best thing for you to do is to start reading the code.

-- 
Regards,
Richard Sharpe