Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How is a message packet's protocol determined in wireshark?

There are several protocols in the packet, from the initial link-layer protocol to the topmost.

There is no single mechanism that is used. The main mechanisms are:

  1. A field in the one layer of the packet indicates the protocol of the next layer. Wireshark selects the dissector for the payload of the one layer based on the value of that field.
  2. No such field exists in that layer of the packet, so Wireshark has to guess the protocol, by having several dissectors look at the payload of that layer to see if it looks like a packet of its type; if any dissector thinks it does, it handles the payload and then returns an indication that the payload was a packet of its type and no other dissectors need to look at it.

For the initial link-layer protocol, a variant of the first mechanism is used - the code that reads the capture file from which the packet came indicates, based on the file type and information in the file, the link-layer type for that packet, using a value internal to Wireshark; that value is used by Wireshark to dissect the selector.

I have a .pcapng file I have been looking at and at first it seemed that the first three hex digits were the determining factor because they seemed to be unique to a protocol.

For the first mechanism, there is no standard place in the protocol where the field in question occurs. For Ethernet, it's typically the type field, which is in octets 12 and 13 of the Ethernet header (with the first octet being octet 0). For IPv4, it's the Protocol field, which is in octet 9 of the IPv4 header. Note that the IPv4 header might have link-layer headers before it, in which case octet 9 of the IPv4 header isn't going to be octet 9 of the packet; for that matter, there might be additional headers before the Ethernet header (if, for example, Ethernet is being tunneled over some other protocol).

So there's no simple answer.

Also, just to be sure: the hexidesimal representation in teh third frame window represents the whole package without anything added or taken away, right?

Taken away, no. Added, perhaps; when capturing over Wi-Fi in monitor mode, the device driver may add a "radio information" header before the IEEE 802.11 header, giving metadata such as the 802.11 channel on which the packet was received.

Note also that Wireshark may reassemble data from multiple link-layer packets to form a packet for a higher-level protocol, and those reassembled packets will appear as tabs in the third pane of the frame.