Wireshark-dev: Re: [Wireshark-dev] Detecting Protocol Headers

From: "Guy Harris" <guy@xxxxxxxxxxxx>
Date: Mon, 9 Mar 2009 23:40:56 -0700 (PDT)
Rayne wrote:
> Replies below in blue.

They all look black to me (I'm currently reading this with webmail, and
it's not showing any colors - it's just showing it as plain text; don't
assume that, if you use HTML mail or other rich text mail features, that
it'll show up in everybody's mail - some people may use mail readers that
just show plain text).

> I also have one other question: What happens when in the process of
> dissecting a packet, you encounter a protocol that is not recognized? What
> happens to that packet?

It gets dissected, like any other packet.  The unrecognized protocol data
will probably just be shown as a line saying "Data".

> Points 1 to 4 are the criteria for whether to include a protocol in the
> list of heuristic dissectors of another protocol?

Points 1 through 4 are the criteria for whether the author of a dissector
for one protocol will write code, in the proto_reg_handoff_ routine for
that dissector module, to register that dissector in the list of heuristic
dissectors for another protocol.  (I.e., these criteria apply to humans
writing dissectors, not to Wireshark itself.)

> So in reality, every packet has its own protocol tree that is built as
> protocols are dissected. So 2 packets may have very different protocol
> trees?

Yes.  Those two packets could look very differently, *even if they contain
the same set of protocols (e.g., one DNS-over-UDP-over-IP-over-Ethernet
packet could have different fields from another
DNS-over-UDP-over-IP-over-Ethernet packet).

> Isn't this quite taxing for the system, because the system would
> have to keep track of all these protocol trees until the packets are
> completely dissected and the memory for the trees can be released?

No.  The protocol tree is freed as soon as Wireshark is done with it.  If
you click on a packet, a protocol tree is constructed, and used to show
the dissection in the packet detail pane.  If you click on another packet,
the old protocol tree is freed, and a new protocol tree is constructed for
that packet.  If you then click on the original packet, it's re-dissected
and the protocol tree is reconstructed.

> What is
> the purpose of building a protocol tree for every packet? Just to display
> that information for the user?

To display the information for the user, to evaluate display filter
expressions or color filter expressions or..., to output the packet in
PDML, etc.

> > Where can I find an example where dissect-protocol() is called?
>
> What do you mean by "dissect-protocol()"?
>
> For example "dissect_ip()", "dissect_gtp()" etc.

Dissectors are usually not called directly; they're either called through
a dissector table, or a heuristic dissector list, or a dissector handle. 
There are some cases where they're called directly, usually because some
extra information has to be passed to them (such as the SCSI dissector
routines).

What is it you're looking for there?