Wireshark physical packet
Question
How does wireshark interpret physical packets? As far as I know, all packets look to be the same, so how does it decode them to pass to next higher protocol?
2 answers
solution1
1 2011-01-26 19:08:52
当用于捕获实时流量时,它知道接口的类型,因此知道数据包的L2封装,并且在读取pcap文件时,该文件在标头中具有一个字段,指示网络类型。
solution2
1 2011-01-26 19:16:31
There are probably a number of different mechanisms. You can download the dissectors and study the source to find out the various methods.
I wrote a dissector for a network sniffer and ported it to Ethereal and then Wireshark (or maybe someone else ported it; I don't remember). But the basic logic is that the dissector gets added to the list of possible dissectors. Wireshark calls a dissector and it decodes the packet if it can. If not, it calls the next one in the chain.
In the code I wrote, I simply analyzed the packet (UDP in my situation) to determine if it fit the profile of the desired packet using checksums and known data in the packet. If it decided it was the packet I was interested in I just extracted the various pieces of interesting data from the packet. The function tvb_get_ptr returns a pointer to the start of the data.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.