Wireshark-dev: Re: [Wireshark-dev] how does the wireshark print the contents of the packets

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Thu, 16 Sep 2010 13:04:36 +0200
On Thu, 16 Sep 2010 16:01:59 +0800, 刘昆 <liukunmeister@xxxxxxxxx> wrote:
> 于 2010年09月15日 23:04, Jaap Keuter 写道:
>> On Wed, 15 Sep 2010 22:34:41 +0800, 刘昆<liukunmeister@xxxxxxxxx>  wrote:
>>
>>> 于 2010年09月15日 19:13, Jaap Keuter 写道:
>>>
>>>> Hi,
>>>>
>>>> You'll find an interface between the wiretap library providing input
>>>> and the dissection engine in epan/packet.c:dissect_packet(). Here the
>>>> packet data is encapsulated in a TVB and presented to the top level
>>>> dissector.
>>>>
>>>> Thanks,
>>>> Jaap
>>>>
>>>> On Wed, 15 Sep 2010 15:17:51 +0800, 刘昆<liukunmeister@xxxxxxxxx>   wrote:
>>>>
>>>>
>>>>> If I want to understand how the wireshark print the contents of the
>>>>> packets wireshark just as the table at the bottom in wireshark GUI,which
>>>>> files should I read. In fact,I just want to find out the array which
>>>>> save the data of the packet wireshark has captured so that I can do some
>>>>> work with the data.As http protocol,should I read the files
>>>>> packet-http.c under the directory wireshark/epan/dissectors or other files?
>>>>>
>>>>>
>>> I have read the epan/packet.c:dissect_packet() .However I am still not
>>> very clear about where the data is.Do you mean the edt->tvb save the
>>> packet data ?
>>>
>> Hi,
>>
>> Indeed edt->tvb is the object containing your packet data, to be
>> accessed through its interface functions.
>>
>> Thanks,
>> Jaap
>
> Thank you very much. I have found the packet data in edt->tvb.Actually I 
> have noticed edt->tvb- >real_data get the packet data through the 
> argument const guchar *pd in dissect_packet() .However I can't find 
> where dissect_packet() is called.Where pd come from.For http protocol,I 
> can't find that dissect_packet()  is called in 
> wireshark/epan/dissectors/packet-http.c

Hi,

To see the full path put a breakpoint at packet-http.c:dissect_http(),
run the code and load an HTTP packet.
Once you hit the breakpoint, look at the call stack. All will be
reveiled.

Thanks,
Jaap