When Wireshark starts, all parser initialization and registration. Information includes protocol name to be registered, the information of each field, with the keyword filtering, the underlying protocols to be associated with the port (Handoff) and the like. In the process of parsing, the parser is responsible for parsing each their part of the agreement, and then pass to the subsequent upper package data protocol parser, this constitutes a complete protocol analysis chain.
The top of the chain is resolved Frame parser, which is responsible for parsing pcap header. The follow-up call to the parser which is written in the hash table of the current protocol registration handoff information through the upper layer protocols to find.
For example, consider a hash table ipv4 parser, which shape information is stored in the following table. When it is finished ipv4 header parsing, it can be, for example 6, it can be found from a subsequent parser tcp hash table according to the protocol number field obtained.
[email protected]