Each dissector decodes its part of the protocol, and then hands off
decoding to subsequent dissectors for an encapsulated protocol.
So it might all start with a Frame dissector which dissects the packet details
of the capture file itself (e.g. timestamps), passes the data on to an
Ethernet frame dissector that decodes the Ethernet header,
and then passes the payload to the next dissector (e.g. IP) and so on.
At each stage, details of the packet will be decoded and displayed.
Dissection can be implemented in two possible ways. One is to have a dissector
module compiled into the main program, which means it's always available.
Another way is to make a plugin (a shared library/DLL) that registers itself
to handle dissection.
There is little difference in having your dissector as either a plugin
or build-in. On the Win32 platform you have limited function access
through what's listed in libwireshark.def, but that is mostly complete.
The big plus is that your rebuild cycle for a plugin is much shorter
than for a build-in one. So starting with a plugin makes initial development
simpler, while deployment of the finished code may well be done as build-in
||See also README.developer
doc/README.developer contains much detailed information about
implementing a dissector (and may, in some cases, be more up-to-date than this document).