Wireshark was called Ethereal before 2006, but the main core is the same. EPAN is the packet-analyzing engine for Wireshark. EPAN uses decoders or dissectors which provide information on how to recreate the protocols in the proper format:

The EPAN contains four main Application Programming Interfaces (APIs), as shown in the preceding diagram:

• Protocol tree: Detailed analysis of a single packet
• Dissectors: Provide information on how to break down the protocols into the proper format according to the appropriate Request for Comment (RFC) or other specification
• Dissector plugins: Uses dissectors as separate functions
• Display filters: Allows you to filter captured data

In most cases, Wireshark is able to correctly identify and decode the protocol. However, there are times when you will need to help Wireshark decode the protocol. That is achieved by right-clicking the frame and selecting Decode As…, which will bring up the following window. Once in the window, you can modify the values to match the appropriate protocol:

This function is very useful when protocols either don't have a dedicated port or they're running on a different port than usual. For example, you should use Decode As… when HTTP is running on port 8080 instead of port 80.

Once the bits have been converted into the proper format, the next step is to display the results in a human-readable format.