What is a protocol binding? It is simply a piece of code that determines if protocol B's header will follow immediately protocol A's header. Lets take a look at an example:
+----------+----------+----------+---------+ | header A | header B | header C | Payload | +----------+----------+----------+---------+
We see a packet buffer that starts with byte 0 at the left. We see that there is a protocol's A header starting with byte 0. After protocol A's header ends, protocol's B header starts, then protocol'C C header. At the end of a packet buffer, the remaining unmatched portions of the buffer to any protocol's header, are assumed to be the payload of the packet. All the other headers were simply there to facilitate the transfer of the payload and describe its contents.
So the scanner is told, literally by a numerical protocol ID, when the scan is requested what header A is. It is often called the DLT or Data Link Type or the first header within the packet. A binding is a piece of java code defined in object for by implementing the
JBinding interaface, that at an appropriate time will be called upon by the scanner, to evaluate the packet and return weather the binding succeeded or failed.
In our example, the scanner knows exactly what header A is, we told him or more specifically libpcap library itself told the scanner. The scanner records information about the header A, and then checks if there are any java bindings to it. If there are any bindings, it iterates through the list of these java bindings, providing them access to the packet and header A and asking if the binding is valid or not.
So if header B has a binding registered with header A, that binding will be run to check if it passes. The binding code has a chance to run whatever logic and algorithm is neccessary to determin if B should immediately follow A. In our example it does. So the binding returns success. The scanner then records that B is also found, also records the starting position of B, immediately follows A, and B's length also provided by the binding or if neccessary by another support interface
JHeaderScanner which determines the exact length in bytes of the header. Not all header's are constant in size.
Some bindings don't even require any logic at all. For example LLC header always follows IEEE 802.3 header. Therefore the LLC to 802.3 binding is very simple. It always return success.
In this way the scanner can go from header to header, check its bindings and header scanner a build a complete list of headers that were found.
Now, all the core protocols have their scanners defined natively and are scanned very efficiently and fast. Using a java bindings or scanner is less efficient, but that is not the normal case. None the less even the java binding approach is very fast as the code inside it is usually very simple.