On Aug 18, 2010, at 12:30 AM, upendra.a...@wipro.com wrote: > Thanks a lot for you reply. > Let me put my question more clearly. > > In my current Wireshark, when decoding my own plug-ins, the order of > dissection is: > > Frame > Ethernet > Internet Protocol > User Datagram Protocol (UDP) > My-plugin > > Now for dissecting My-plugin, I have to dissect from Ethernet to > My-plugin every time.
Yes, that's the way Wireshark works. > All my plug-ins is on top IP layer (either on UDP > or on SCTP). Now for decoding My-plugin every time I have to start > decoding from a common Data Link type (Ethernet) which is time > consuming. So I want to know that is it possible to directly decode > My-plugin? Not if your capture file is a capture of Ethernet traffic. Wireshark cannot magically figure out that a given Ethernet packet happens to contain an IP packet without, at minimum, looking at the Ethernet type/length field; it cannot figure out that a given IP packet is a UDP packet without, at minimum, looking at the IP protocol number field; and it cannot figure out that a given UDP packet is a packet for your protocol without, at minimum, looking at either the UDP port numbers (if your dissector is registered with a UDP port or you've used Decode As) or the contents of the payload (if your dissector is a heuristic dissector). ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
