Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Chapter 9. Packet dissection

9.1. How it works

Each dissector decodes its part of the protocol, and then hands off decoding to subsequent dissectors for an encapsulated protocol.

So it might all start with a Frame dissector which dissects the packet details of the capture file itself (e.g. timestamps), passes the data on to an Ethernet frame dissector that decodes the Ethernet header, and then passes the payload to the next dissector (e.g. IP) and so on. At each stage, details of the packet will be decoded and displayed.

Dissection can be implemented in two possible ways. One is to have a dissector module compiled into the main program, which means it's always available. Another way is to make a plugin (a shared library/DLL) that registers itself to handle dissection.

There is little difference in having your dissector as either a plugin or build-in. On the Win32 platform you have limited function access through what's listed in libwireshark.def, but that is mostly complete.

The big plus is that your rebuild cycle for a plugin is much shorter than for a build-in one. So starting with a plugin makes initial development simpler, while deployment of the finished code may well be done as build-in dissector.

[Note] See also README.developer

The file doc/README.developer contains much detailed information about implementing a dissector (and may, in some cases, be more up-to-date than this document).

  Published under the terms fo the GNU General Public License Design by Interspire