Wireshark · Wireshark-dev: Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers

Wireshark-dev: Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers

From: Ulisses Araújo Costa <ulissesaraujocosta@xxxxxxxxx>

Date: Tue, 10 Mar 2009 00:53:28 +0000

On Tue, Mar 10, 2009 at 00:27, Richard Sharpe
<realrichardsharpe@xxxxxxxxx> wrote:
> On 3/9/09, Ulisses Araújo Costa <ulissesaraujocosta@xxxxxxxxx> wrote:
>> On Mon, Mar 9, 2009 at 23:40, Richard Sharpe
>>  <realrichardsharpe@xxxxxxxxx> wrote:
>>  > On Mon, Mar 9, 2009 at 3:34 PM, Ulisses Araújo Costa
>>  > <ulissesaraujocosta@xxxxxxxxx> wrote:
>>  >> I Just want to know what is the function with that I can read a
>>  >> tcpdump file and return the structure of a packet...
>>  >
>>  > The problem is, that is not the way Ethereal works. There is never a
>>  > structure carried around that contains the packet as a set of broken
>>  > down fields, protocol by protocol.
>>  >
>>
>>
>> No!? Can you explain to me the way Wireshark works?
>
> I have written a number of the dissectors in Ethereal/Wireshark,
> including the SMB dissector.
>
> The packets are read in as an array of bytes (actually, they are kept
> in a TVB, but that is an aside).
>
> The first dissector that gets them is the pcap dissector. It extracts
> the fields it needs (and adds them to the protocol tree as it goes) to
> figure out what the next layer is, and calls the next dissector
> through a table usually.
>
> At each layer it extracts the fields it needs and puts them into the
> protocol tree or the columns, however, there is no library that allows
> you to parse a packet and then say:
>
>   give me the value of the field tcp.flags or smb.fid or so forth
>
> Ethereal is not organized that way.
>
> The best thing for you to do is to start reading the code.

Humm... I see. I thank you for that information.
Can you give me some pointers? For example: what file/dir to start?

>
> --
> Regards,
> Richard Sharpe
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>



-- 
Ulisses Costa - http://caos.di.uminho.pt/~ulisses/

References:
- [Wireshark-dev] Using Wireshark packet parsers and pretty printers
  - From: Ulisses Costa
- [Wireshark-dev] Using Wireshark packet parsers and pretty printers
  - From: Ulisses Araújo Costa
- Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers
  - From: Stephen Donnelly
- Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers
  - From: Ulisses Araújo Costa
- Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers
  - From: Richard Sharpe
- Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers
  - From: Ulisses Araújo Costa
- Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers
  - From: Richard Sharpe

Prev by Date: Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers
Next by Date: [Wireshark-dev] Detecting Protocol Headers
Previous by thread: Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers
Next by thread: Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers
Index(es):
- Date
- Thread