[Rayne <hjazz6@xxxxxxxxx>]

Thanks for your replies.

I took a look at packet-udp.c and packet-ip.c, and am wondering where I can find the definitions of the following functions:

call_dissector()
dissector_add()
dissector_try_heuristic()
dissector_try_port()
register_dissector_table()
register_heur_dissector_list()

and the following structures:
dissector_table_t
heur_dissector_list_t
dissector_handle_t

Also, where are the UDP ports and list of heuristic dissectors tried by the UDP dissector defined? From what I can understand from packet-udp.c, the structures udp_dissector_table and heur_subdissector_list are first defined and registered in the file packet-udp.c itself. So how would the UDP dissector know which sub-dissector and UDP ports to try next in order to call the next dissector?

And am I right to say that the protocol tree is built before the first packet is captured, when all the protocol dissectors are registered? In other words, as each dissector is registered, they are added to the protocol tree accordingly. So if I were to add a new dissector, say, Ethernet -> IP -> new_protocol -> TCP -> Payload, I would have to add this new protocol such that it extends from the IP branch? And this is done by calling the function dissect_new_protocol and using the corresponding argument "tree"? Also, it appears that dissector_add() would be called so that the IP -> new_protocol relationship can be established?

Where can I find an example where dissect-protocol() is called?

I also noticed that in packet-ip.c, the function dissector_try_port() is called. However, it appears that the "port" used here is the protocol field. Without seeing the definition for dissector_try_port(), I'm guessing that the second argument of this function is the search critieria, and for UDP (and presumably TCP), it's the source/destination ports, whereas for IP, it's the protocol field. Is this correct?

Thank you and sorry for the long post and questions!

--- On Fri, 3/6/09, Guy Harris <guy@xxxxxxxxxxxx> wrote:

From: Guy Harris <guy@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Detecting protocol headers
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Cc: hjazz6@xxxxxxxxx
Date: Friday, March 6, 2009, 6:55 PM

On Mar 6, 2009, at 10:08 AM, Stephen Fisher wrote:

> Take a look at
 epan/dissectors/packet-udp.c in the source code.  In
> particular, the decode_udp_ports() function.  The UDP dissector follows
> the general method for finding the next dissector to call.  In the case
> of UDP, it uses the port number to find which dissector(s) has
> registered itself on that udp port and then calls it.  If there is more
> than one, it is expected that each one will do a heuristic check of
> (usually) the first few bytes of the packet to determine if it should
> accept the packet and if not, Wireshark gives it to the next dissector
> registered on that port to see if it will accept it with a heuristic
> check.

In addition, the UDP dissector has a list of purely-heuristic dissectors;
depending on the setting of a preference, those are either called, one after
another, before the UDP dissector tries dissectors based on port numbers (so
that a heuristic dissector can
 grab traffic even if one of the ports it's
coming from or going to has a UDP dissector for it) or after the UDP dissector
tries dissectors based on port numbers.  The heuristic dissectors are called
regardless of the port number; they also check (usually) the first few bytes of
the packet to decide if it should accept it or not.