Wireshark-dev: Re: [Wireshark-dev] Detecting Protocol Headers

From: "BARILLY YANN" <Yann.Barilly@xxxxxxxxxxxxxxxxx>
Date: Tue, 10 Mar 2009 16:54:21 +0100
Hi,
 
You will find the answers to nearly all the questions you are asking in the README.developper guide in Wireshark sources:
How is made the proto tree, how are collected data and how are they printed, etc.
This guide is very well done and you will be able to anderstand a big part of the way Wireshark is built with it.
 
It might be quite frustrating for an answer but I think in my poor mind that it is the one that fits the best
 
Sorry and good work
 
Yann


From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Rayne
Sent: Tuesday, March 10, 2009 2:09 AM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] Detecting Protocol Headers

Hi,

I'm interested in understanding how Wireshark detects protocol headers in a packet and peels off each layer to get to the payload.

I took a look at packet-udp.c and packet-ip.c, and am wondering where I can find the definitions of the following functions:


call_dissector()
dissector_add()
dissector_try_heuristic()
dissector_try_port()
register_dissector_table()
register_heur_dissector_list()

and the following structures:
dissector_table_t
heur_dissector_list_t
dissector_handle_t

Also, where are the UDP ports and list of heuristic dissectors tried by the UDP dissector defined? From what I can understand from packet-udp.c, the structures udp_dissector_table and heur_subdissector_list are first defined and registered in the file packet-udp.c itself. So how would the UDP dissector know which sub-dissector and UDP ports to try next in order to call the next dissector? Also, are the dissectors in the heuristics list determined by statistics? For example, if say Protocol A follows Protocol B 80% of the time from traffic observed, then Protocol A is included in the heuristic list of dissector to try by Protocol B?

And am I right to say that the protocol tree is built before the first packet is captured, when all the protocol dissectors are registered? In other words, as each dissector is registered, they are added to the protocol tree accordingly. So if I were to add a new dissector, say, Ethernet -> IP -> new_protocol -> TCP -> Payload, I would have to add this new protocol such that it extends from the IP branch? And this is done by calling the function dissect_new_protocol and using the corresponding argument "tree"? Also, it appears that dissector_add() would be called so that the IP -> new_protocol relationship can be established?

Where can I find an example where dissect-protocol() is called?

I also noticed that in packet-ip.c, the function dissector_try_port() is called. However, it appears that the "port" used here is the protocol field. Without seeing the definition for dissector_try_port(), I'm guessing that the second argument of this function is the search critieria, and for UDP (and presumably TCP), it's the source/destination ports, whereas for IP, it's the protocol field. Is this correct?

Thank you and sorry for the long post and questions!