WRITING PROTOCOL DECODERS

Tcpview uses three different type of protocol decoders.  The first
is a standard tcpdump decoder.  Because it decodes each frame individually,
it works best on protocols that are packet-oriented.  For an example, take a look
at any of the files named print-xxx.c.  The output from this protocol decoder
is visible only in the top portion of the tcpview window.  It should also
work with tcpdump.  See 'summary.txt for more information.

The second type of decoder is very similar to the first.  It's purpose is
to fill in more detailed protocol information in the middle pane of the
tcpview display.  It does not work with tcpdump.  See the file 'detail.txt'
for more information.

The third type of decoder was created to handle those protocols that are
not packet-oriented.  It is implemented as a filter, working on a stream of
data created by the "filter stream" menu in tcpview.  See the file 'filter.txt'
for more information.

Many protocols will have both type 1 (tcpdump) and type 2 (detailed tcpview)
decoders.  Some will only type 3.  A few may have all 3 types.  For example,
most telnet or X frames are short and will be on packet boundaries, so most
of the frames could be correctly decoded in type 1 and 2 decoders.  However,
a type 3 decoder would be needed to show all the X commands or telnet traffic.
BGP could be done similarly.  The keepalives and short updates would show
up in a type 1 or 2 decoder.  To see all the routes, you need a type 3
(filter).





