Wireshark-users: Re: [Wireshark-users] Dissector and Packets Bytes Pane

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 18 Jun 2007 15:00:16 -0700

On Jun 18, 2007, at 2:49 AM, Kaushal Shriyan wrote:

what one means by saying dissector.

A dissector is a module in Wireshark (or in another network analyzer, although they may use a term other than "dissector") that can look at the raw data in a packet for a particular protocol and analyze it as a set of fields - for example, the IPv4 header described in RFC 791:

	http://www.ietf.org/rfc/rfc0791.txt

has, in the first byte, an IP version number of 4 in the upper 4 bits and an IP header length (in units of 32-bit words) in the lower 4 bytes. The next byte has some information used to give information about service quality requested for the packet, congestion indications, and so forth, and then come two bytes, in host byte order, giving the total length of the IP packet (header and data), and so on and so forth. A "dissector" would show the values of all those items as individual elements.

Also I am not able to understand "Packet Bytes" pane. what does the hexadecimal number signifies,

The hexadecimal numbers in there are the raw byte values in the packet. An Ethernet packet as sent by or received by a host, for example, is just a sequence of bytes. The first 6 bytes are the Ethernet address to which the packet is being sent, and the next 6 bytes are the Ethernet address from which the packet is being sent. The next two bytes are either a packet length indication or a packet type indication. A value of 0x08 0x00 is a packet type indication, indicating that the packet is an IPv4 packet. If that's the case, the bytes after the packet type indication are the bytes of an IPv4 header followed by the IPv4 payload, which might be a TCP packet or a UDP packet or....

Wireshark is an application that was designed under the assumption that the user is at least somewhat familiar with the way network packets are constructed (just as, for example, an oscilloscope is designed under the assumption that the user is somewhat familiar with the waveforms they're measuring, and a logic analyzer is designed under the assumption that the user is somewhat familar with the digital system they're analyzing); people unfamiliar with the way network packets are constructed and network protocols work should probably read a book about networking before using Wireshark, as, otherwise, much of what Wireshark displays would mean nothing to them.

"TCP/IP Illustrated, Volume 1: The Protocols":

	http://www.kohala.com/start/tcpipiv1.html

might be a good book for this.