Manualshelf

User guide

ManualsBrandsWireshark Manualsaudio & home theatre- 0.99.7
111112113114115116117118119120
Chapter 9. Packet dissection
9.1. How it works
Each dissector decodes its part of the protocol, and then hands off decoding to subsequent dissectors
for an encapsulated protocol.
So it might all start with a Frame dissector which dissects the packet details of the capture file itself
(e.g. timestamps), passes the data on to an Ethernet frame dissector that decodes the Ethernet head-
er, and then passes the payload to the next dissector (e.g. IP) and so on. At each stage, details of the
packet will be decoded and displayed.
Dissection can be implemented in two possible ways. One is to have a dissector module compiled
into the main program, which means it's always available. Another way is to make a plugin (a
shared library/DLL) that registers itself to handle dissection.
There is little difference in having your dissector as either a plugin or build-in. On the Win32 plat-
form you have limited function access through what's listed in libwireshark.def, but that is mostly
complete.
The big plus is that your rebuild cycle for a plugin is much shorter than for a build-in one. So start-
ing with a plugin makes initial development simpler, while deployment of the finished code may
well be done as build-in dissector.
100