Wireshark · Wireshark-dev: Re: [Wireshark-dev] Heuristic Dissector Priority

[Evan Huus <eapache@xxxxxxxxx>]

On Mon, Apr 22, 2013 at 12:40 PM, Richard Maudsley <richard.maudsley@xxxxxxxxxxxxx> wrote:

Hi Evan, thanks for your reply.

 

I saw the functions register_postdissector and call_all_postdissectors in packet.h. I’m really looking for something that does the opposite (“predissector”?) for heuristic dissectors. Is there some way to achieve this?

Not off the top of my head.

 

I don’t consider it to be a bug in the built-in dissector, it’s working just fine! My plugin handles a subset of the protocol that the built-in dissector implements – a missing feature, if you like – hence the need for a plugin.

If this missing feature is a public standard then you're probably best off simply improving the existing dissector directly; patches welcome :)

If, as I suspect, this is some proprietary extension that you don't want to build into the existing dissector then you have a couple of options depending on how significant the change is. A post-dissector may still work if you are simply adding a few fields and the existing dissector ignores those fields.

Otherwise I think you will have to do as you have already thought - use heur_dissector_delete to unregister the problematic built-in dissector, then find_dissector to get a direct handle, and manually call_dissector with that handle.

I'm obviously a bit biased, but I would strongly recommend improving the existing dissector unless there's a good reason not to :)

Cheers,
Evan