Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Define dissector port

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Tue, 16 Jan 2007 20:39:19 +0100 (CET)
Hi,

Have a look in epan/packet.h and search for "heur".

Thanx,
Jaap

On Tue, 16 Jan 2007, Hal Lander wrote:

> I am still struggling with this.
> Is there any documentation on heur_dissector_add and where/how to call it?
>
> Also I presume from Guy's posting I have to add my protocol into some
> tables?
>
> Hal
>
> >From: "sharon lin" <sharon.lin.1@xxxxxxxxx>
> >Reply-To: Developer support list for Wireshark
> ><wireshark-dev@xxxxxxxxxxxxx>
> >To: "Developer support list for Wireshark" <wireshark-dev@xxxxxxxxxxxxx>
> >Subject: Re: [Wireshark-dev] Define dissector port
> >Date: Tue, 16 Jan 2007 17:51:11 +0200
> >
> >Add
> >heur_dissector_add("udp", dissect_fring, proto_fring);
> >   heur_dissector_add("tcp", dissect_fring, proto_fring);
> >
> >On 1/16/07, Hal Lander <hal_lander@xxxxxxxxxxx> wrote:
> >>
> >>The word 'heuristic' only appears once in 'readme.developer', and although
> >>I
> >>have skimmed through the whole document I seem to have missed where it
> >>tells
> >>you how to make a dissector heuristic.
> >>
> >>Can you be more specific about where there is an example?
> >>Can plugins be heuristic dissectors?
> >>
> >>Once a dissector is heuristic will it just look on all ports?
> >>
> >>Hal
> >>
> >>
> >>
> >> >From: Guy Harris <guy@xxxxxxxxxxxx>
> >> >Reply-To: Developer support list for Wireshark
> >> ><wireshark-dev@xxxxxxxxxxxxx>
> >> >To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
> >> >Subject: Re: [Wireshark-dev] Define dissector port
> >> >Date: Mon, 15 Jan 2007 10:37:39 -0800
> >> >
> >> >Hal Lander wrote:
> >> > > Is there a way to get a dissector to run on all ports?
> >> >
> >> >A dissector that runs on all ports would have to be a heuristic
> >> >dissector (otherwise, you wouldn't be able to dissect any TCP/UDP
> >> >traffic except for traffic for your protocol).
> >> >
> >> >So the way you'd do that would be to have your dissector be able to look
> >> >at a packet and determine whether it's a packet for your protocol or
> >> >not, and use a check for that sort in your dissector.  See
> >> >doc/README.developer for information on how to make a heuristic
> >> >dissector.  The name of the heuristic dissector table for TCP is "tcp",
> >> >and the table for UDP is "udp".
>
>