Wireshark-dev: Re: [Wireshark-dev] X11/GLX dissector
From: Guy Harris <[email protected]>
Date: Mon, 07 Aug 2006 09:59:21 -0700
Max Lapan wrote:

The best way to do it, in theory, would be to have the X11 dissector export a dissector table for extensions.
Sorry, I'm new to wireshark internal interfaces, so, maybe, asking
newbie question. Did I guess right that to force heur_dissector_add()
to work, parent dissector must call register_dissector_table() at the
dissector registration stage and dissector_try_heruistic() during the
analisys stage?
No.

If you have a dissector for a protocol that's associated with a particular numerical value of a particular field in the parent protocol (e.g., a particular value of the Ethernet type field), the parent dissector would call register_dissector_table() in its registration routine to create the dissector table, the child dissector would call dissector_add() on that table in its handoff registration routine, and the parent dissector would call dissector_try_port() during the analysis stage.
There are similar routines for string values.

If you have a dissector for a protocol that can't be associated with particular values in the calling protocol, so you would have to look at the contents of the packet to try to guess what protocol it's for, that's a heuristic dissector. For those, the parent dissector would call register_heur_dissector_list() in its registration routine to create the heuristic dissector table, the child dissector would call heur_dissector_add() on that table in its handoff registration routine, and the parent dissector would call dissector_try_heuristic() during the analysis stage.
Yes, you're absolutely right. I didn't thought about that. Major
opcode returned by XQueryExtension is a dynamic value and depends from
load order of X11 server extension modules.

So, there is no solution 'in general'. But X11 dissector maintains
extensions table (which built according XQueryExtions replies).  Is
there standard way in Wireshark to 'publish' such table from dissector
module to others?

As you've noted, X11 extensions have more or less standard names, so
my module can query X11 dissector for GLX major_opcode value.
Probably the best way to do this would be to register extension 
dissectors using the extension *name*, and, for an X request with a 
request code >= 128, attempt to look up the request code in the 
extensions table and, if it finds the extension name, call 
dissector_try_string() with the extension name.