What you want are heuristic dissectors.
Examples include dcerpc, yahoo, and a few others.
Grep for heur_dissector in the packet-*.c files and you will find
many that are based on something other than hard coded ports.
Just make sure your dissector is specific, and not just like "first byte
of payload is 1. :D
On Mon, 19 Apr 2004, Stas Khirman wrote:
> Hi,
>
> I'm about to write a dissector for protocol with unpredictable port
> binding. The good news is that protocol has a distinctive signature in
> the first data packet. I hear that Ethereal has support for such kind of
> dissectors, but I didn't find anything in the documentation ( sorry for
> bothering mailing list if this issue already described somewhere).
>
> I'll appreciate any help on following:
>
> 1.) How can I define a dissector for "signature-based" protocol ? What
> is a special issues I have to pay attention?
> 2.) What is an order of packet-to-dissector assignment in the Ethereal
> core? What source file is recommended to review?
> 3.) Can you please point me to some existing dissector dealing with
> non-port-binded protocols?
>
>
> Regards
> Stas
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
