Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Heuristic dissector conflict

From: "Shah, Sachin" <sachins@xxxxxxxxxxxx>
Date: Thu, 18 Oct 2007 18:19:14 -0700
I have two different ethereal plugins which are registered on top of
"tcp" by 

packet-xxx.c
...
heur_dissector_add("tcp", dissect_xxx, proto_xxx); /* in
proto_reg_handoff_xxx(void) method */
...

packet-yyy.c
...
heur_dissector_add("tcp", dissect_yyy, proto_yyy); /* in
proto_reg_handoff_yyy(void) method */
...

These two plugins have completely different signature, so they are very
easy to differentiate. Following is snippet from dissect_*** methods of
each:

>From packet-xxx.c
s1 = tvb_get_guint8(tvb, 0);
if (s1 != 0x01 && s1 != 0x02 && s1 != 0x03)
	return;

>From packet-yyy.c
s1 = tvb_get_guint8(tvb, 0);
s2 = tvb_get_guint8(tvb, 1);
if(s1 != 0x55)
	return;
if(s2 != 0x55)
	return;

Now my question is when I have both the plugins enabled in ethereal
(v0.10.12), I see that "xxx" packets are dissected correctly, but "yyy"
packets just show up as "TCP" packets only and there is no dissection in
effect?! Is there anything special needs to be done to capture this kind
of scenario?

I will appreciate your response.

Thanks,
Sachin