Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2021-09-22 08:17:51 +0000

Guy Harris gravatar image

I created a dissector under the assumption that a given dissector is applied to every packet picked up by Wireshark.

Incorrect assumption. Link-layer dissectors are applied only if the packet's link-layer protocol type corresponds to the link-layer protocol for that dissector. All other dissectors are applied only if another dissector that sees the packet decides to hand the packet to the dissector in question.

In your case, with a protocol that runs atop UDP, a dissector is called only if the packet is a UDP packet and, for the source and destination port numbers in the UDP header, either:

  1. the dissector has explicitly registered one (or both) of those port numbers in the "udp.port" dissector table;
  2. the dissector is set up the way Jaap suggests, and the user configures it to be called for one of those port numbers;
  3. the dissector is a UDP heuristic dissector, and the packet hasn't been handed to another dissector before it was handed to the heuristic dissector to see if it looks like one of its packets.

So, for your case, Jaap's suggest, 2), is the correct answer.

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2