Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Define dissector port

From: "Hal Lander" <hal_lander@xxxxxxxxxxx>
Date: Tue, 16 Jan 2007 06:48:03 -0900
The word 'heuristic' only appears once in 'readme.developer', and although I have skimmed through the whole document I seem to have missed where it tells you how to make a dissector heuristic.

Can you be more specific about where there is an example?
Can plugins be heuristic dissectors?

Once a dissector is heuristic will it just look on all ports?

Hal



From: Guy Harris <guy@xxxxxxxxxxxx>
Reply-To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] Define dissector port
Date: Mon, 15 Jan 2007 10:37:39 -0800

Hal Lander wrote:
> Is there a way to get a dissector to run on all ports?

A dissector that runs on all ports would have to be a heuristic
dissector (otherwise, you wouldn't be able to dissect any TCP/UDP
traffic except for traffic for your protocol).

So the way you'd do that would be to have your dissector be able to look
at a packet and determine whether it's a packet for your protocol or
not, and use a check for that sort in your dissector.  See
doc/README.developer for information on how to make a heuristic
dissector.  The name of the heuristic dissector table for TCP is "tcp",
and the table for UDP is "udp".
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev

_________________________________________________________________
Your Hotmail address already works to sign into Windows Live Messenger! Get it now http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http://get.live.com/messenger/overview