Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] heuristic Dissector for Dummies

Date Prev · Date Next · Thread Prev · Thread Next
From: "Tom Stevens" <tomstevens@xxxxxxx>
Date: Sat, 30 Aug 2008 12:59:35 +0200
Thank you very much for your great explanation. Something i had known before, but thanks anyway.
Particularly the Point " How do these heuristics work?" and your given example should be very useful for anybody who wants to know how a heuristic dissector work.

My Problem is, that i have to write an heuristic dissector by my own. Hence,I need code snippets or something else, that will show me how to put my ideas (searching patterns) down on paper (C - source code ).

For example, which lines of code do I need to explain wireshark to check these 4 conditions:

1) first byte must be 0x42
2) second byte is a type field and only can contain values between 0x20
- 0x33
3) third byte is a flag field, where the lower 4 bits always contain the
value 0
4) fourth and fifth bytes contains a 16 length field, where the value
can't be longer than 10000 bytes

My Protocol should work independently from the underlying (i hope this is the right word) Protocol respectively port numbers.
look at the picture to see what i mean: http://farm4.static.flickr.com/3185/2802328059_ed78644686_o.png

Hope you could help me, greetings Tom (Germany)



2008/8/30 Maynard, Chris <Christopher.Maynard@xxxxxxxxx>
I think this information would best be placed in the doc/ directory,
either residing in its own README.heuristic file (with a mention of it
from README.developer) or residing directly in README.developer itself,
under its own section.  Wherever it lives, I think it would also be very
useful to include a heuristic dissector code skeleton, just as the
README.developer does now in section 1.2 for normal dissectors.

There may be general interest from the user's perspective, but I think
it's better to keep it simple.  Section 9.4 [of Wireshark-1.0.2] user
guide does a pretty nice job already, I think, although some dissectors,
UDP & TCP for instance, have a preference for controlling whether
heuristic dissectors are tried first or not, so that might also be worth
mentioning in the user guide (or maybe it is and I just didn't see it).

I don't know if that counts as a concrete idea or not, but it's my 2
cents.  (Of course with the exchange rate being so bad these days, it's
probably worth much less than that.)

- Chris

> -----Original Message-----
> From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-
> bounces@xxxxxxxxxxxxx] On Behalf Of Ulf Lamping
> Sent: Friday, August 29, 2008 5:50 PM
> To: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] heuristic Dissector for Dummies
>
> Peter Johansson schrieb:
> > Nicely put Ulf! This information is certainly a candidate for
addition
> > to the Wireshark Wiki.
> >
>
> Thanks!
>
> While writing it, I was having in mind to put it into the sources doc
> dir. As it turns out, this info might also be of general interest for
> the common WS user - so I'm not sure where's the best place to put it.
>
> Concrete ideas?
>
> Regards, ULFL

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev