Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] How can I delete a heuristic dissector

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Mon, 22 Jan 2007 16:38:37 +0100 (CET)
Hi,

Well, enjoy the ride :)

With regards to the addition and adding of yourself (!) to a subdissector
list, yes you do that when the basis for your registration changes. Like
when a normal dissector registers for tcp.port 2000 and now that has
changed to 2001 it needs to pull back from tcp.port 2000 and attach to
tcp.port 2001. Would be a bit much for a heuristic dissector to attach
itself to all 65536 tcp.port's so it simply atttaches to tcp and gets all,
if not pick up by a earlier heuristic dissector.

(BTW the TCP dissector has preference which tells if normal or heuristic
dissectors get the first shot at cracking the payload).

Thanx,
Jaap

On Mon, 22 Jan 2007, Hal Lander wrote:

> Brilliant - I had missread you and have not got as far as learning how to
> use Wireshark :-)
>
> I would still like to know how to delete a heuristic dissector though, as
> the template shows you might need to delete one for preferences.
>
> I am maybe also misunderstanding the end of the template.
> Perhaps you only need to delete and re-add a dissector is one of the
> variables used to register the dissector has changed (for example a port
> number)?
>
> If the preference variable is just used locally in the dissector then can I
> not bother deleting and re-adding it?
>
> Hal
>
>
> >From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
> >Reply-To: Developer support list for Wireshark
> ><wireshark-dev@xxxxxxxxxxxxx>
> >To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
> >Subject: Re: [Wireshark-dev] How can I delete a heuristic dissector
> >Date: Mon, 22 Jan 2007 14:11:38 +0100 (CET)
> >
> >Hi,
> >
> >I think you've misread me. It's disable, not delete. And what's even
> >better, you can do it now! Start Wireshark, go to menu | Analyze | Enabled
> >Protocols. There you are presented a list of all dissectors, which you
> >individually can disable. Save the list and you're done.
> >
> >Thanx,
> >Jaap
> >
> >On Mon, 22 Jan 2007, Hal Lander wrote:
> >
> > > How do I delete a heuristic dissector?
> > > I want to do this so that I can use preferences properly.
> > > I might also want to do it if another heuristic dissector is wrongly
> > > grabbing packets (not happening at the moment) that should be coming to
> >me.
> > >
> > > The example in README.developer shows;
> > >                   dissector_delete("tcp.port", currentPort,
> > > PROTOABBREV_handle);
> > >
> > > but this would not apply to a heuristic dissector as I don't have a
> >handle
> > > for it and it does not have a port. I cannot see any other examples of
> > > deleting dissectors in the readme.
> > >
> > > TIA
> > > Hal
> >
> >_______________________________________________
> >Wireshark-dev mailing list
> >Wireshark-dev@xxxxxxxxxxxxx
> >http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
> _________________________________________________________________
> Laugh, share and connect with Windows Live Messenger
> http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=hmtagline
>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>