1 | initial version |
How is a message packet's protocol determined in wireshark?
There are several protocols in the packet, from the initial link-layer protocol to the topmost.
There is no single mechanism that is used. The main mechanisms are:
For the initial link-layer protocol, a variant of the first mechanism is used - the code that reads the capture file from which the packet came indicates, based on the file type and information in the file, the link-layer type for that packet, using a value internal to Wireshark; that value is used by Wireshark to dissect the selector.
I have a .pcapng file I have been looking at and at first it seemed that the first three hex digits were the determining factor because they seemed to be unique to a protocol.
For the first mechanism, there is no standard place in the protocol where the field in question occurs. For Ethernet, it's typically the type field, which is in octets 12 and 13 of the Ethernet header (with the first octet being octet 0). For IPv4, it's the Protocol field, which is in octet 9 of the IPv4 header. Note that the IPv4 header might have link-layer headers before it, in which case octet 9 of the IPv4 header isn't going to be octet 9 of the packet; for that matter, there might be additional headers before the Ethernet header (if, for example, Ethernet is being tunneled over some other protocol).
So there's no simple answer.
Also, just to be sure: the hexidesimal representation in teh third frame window represents the whole package without anything added or taken away, right?
Taken away, no. Added, perhaps; when capturing over Wi-Fi in monitor mode, the device driver may add a "radio information" header before the IEEE 802.11 header, giving metadata such as the 802.11 channel on which the packet was received.
Note also that Wireshark may reassemble data from multiple link-layer packets to form a packet for a higher-level protocol, and those reassembled packets will appear as tabs in the third pane of the frame.