On Tue, Mar 10, 2009 at 00:27, Richard Sharpe <[email protected]> wrote: > On 3/9/09, Ulisses Araújo Costa <[email protected]> wrote: >> On Mon, Mar 9, 2009 at 23:40, Richard Sharpe >> <[email protected]> wrote: >> > On Mon, Mar 9, 2009 at 3:34 PM, Ulisses Araújo Costa >> > <[email protected]> wrote: >> >> I Just want to know what is the function with that I can read a >> >> tcpdump file and return the structure of a packet... >> > >> > The problem is, that is not the way Ethereal works. There is never a >> > structure carried around that contains the packet as a set of broken >> > down fields, protocol by protocol. >> > >> >> >> No!? Can you explain to me the way Wireshark works? > > I have written a number of the dissectors in Ethereal/Wireshark, > including the SMB dissector. > > The packets are read in as an array of bytes (actually, they are kept > in a TVB, but that is an aside). > > The first dissector that gets them is the pcap dissector. It extracts > the fields it needs (and adds them to the protocol tree as it goes) to > figure out what the next layer is, and calls the next dissector > through a table usually. > > At each layer it extracts the fields it needs and puts them into the > protocol tree or the columns, however, there is no library that allows > you to parse a packet and then say: > > give me the value of the field tcp.flags or smb.fid or so forth > > Ethereal is not organized that way. > > The best thing for you to do is to start reading the code.
Humm... I see. I thank you for that information. Can you give me some pointers? For example: what file/dir to start? > > -- > Regards, > Richard Sharpe > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe > -- Ulisses Costa - http://caos.di.uminho.pt/~ulisses/ ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
