Wireshark-users: Re: [Wireshark-users] Dissector and Packets Bytes Pane

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 18 Jun 2007 15:00:16 -0700
On Jun 18, 2007, at 2:49 AM, Kaushal Shriyan wrote:


what one means by saying dissector.

A dissector is a module in Wireshark (or in another network analyzer,  
although they may use a term other than "dissector") that can look at  
the raw data in a packet for a particular protocol and analyze it as a  
set of fields - for example, the IPv4 header described in RFC 791:

	http://www.ietf.org/rfc/rfc0791.txt


has, in the first byte, an IP version number of 4 in the upper 4 bits  
and an IP header length (in units of 32-bit words) in the lower 4  
bytes.  The next byte has some information used to give information  
about service quality requested for the packet, congestion  
indications, and so forth, and then come two bytes, in host byte  
order, giving the total length of the IP packet (header and data), and  
so on and so forth.  A "dissector" would show the values of all those  
items as individual elements.

Also I am not able to understand "Packet Bytes" pane. what does the  
hexadecimal number signifies,

The hexadecimal numbers in there are the raw byte values in the  
packet.  An Ethernet packet as sent by or received by a host, for  
example, is just a sequence of bytes.  The first 6 bytes are the  
Ethernet address to which the packet is being sent, and the next 6  
bytes are the Ethernet address from which the packet is being sent.   
The next two bytes are either a packet length indication or a packet  
type indication.  A value of 0x08 0x00 is a packet type indication,  
indicating that the packet is an IPv4 packet.  If that's the case, the  
bytes after the packet type indication are the bytes of an IPv4 header  
followed by the IPv4 payload, which might be a TCP packet or a UDP  
packet or....

Wireshark is an application that was designed under the assumption  
that the user is at least somewhat familiar with the way network  
packets are constructed (just as, for example, an oscilloscope is  
designed under the assumption that the user is somewhat familiar with  
the waveforms they're measuring, and a logic analyzer is designed  
under the assumption that the user is somewhat familar with the  
digital system they're analyzing); people unfamiliar with the way  
network packets are constructed and network protocols work should  
probably read a book about networking before using Wireshark, as,  
otherwise, much of what Wireshark displays would mean nothing to them.

"TCP/IP Illustrated, Volume 1: The Protocols":

	http://www.kohala.com/start/tcpipiv1.html

might be a good book for this.