Wireshark-dev: Re: [Wireshark-dev] Heuristic dissector conflict
From: "Shah, Sachin" <[email protected]>
Date: Fri, 19 Oct 2007 18:29:09 -0700
That worked. Sorry for the newbie question, I just started working on
this new ethereal plugin and one of them was already implemented by
someone else and I just took that one as a template. Looks like
packet-acn.c is a good template for a heuristic dissector.

Thanks again.


-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Guy Harris
Sent: Friday, October 19, 2007 11:39 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Heuristic dissector conflict

Shah, Sachin wrote:
> Thanks for your response. I am using ethereal 0.10.12 for these

You should probably update to a later release; the current release of 
the application formerly known as Ethereal and now known as Wireshark is


> and the signature expected for "dissect_???" method is "static void
> dissect_???(tvbuff_t*, packet_info*, proto_tree*)",

The signature expected for *non-heuristic* dissectors is the signature 
you describe.

The signature expected for *heuristic* dissectors has a return value of 
gboolean, and that has been the case since the very first release that 
supported heuristic dissectors (which happened so long ago that I forgot

whether I was the person who added the heuristic dissector mechanism or 
not :-)).

> so I don't think "return FALSE" will work for me.

A dissector that doesn't return a Boolean value is not a heuristic 
dissector (and a dissector that always returns TRUE is a heuristic 
dissector with no heuristic :-)), so if you want your dissectors to be 
heuristic, *NOT* doing "return FALSE" in at least one place in the 
dissector will not work for you.

> I looked at the packet-acn.c and it doesn't seem to use
> "heur_dissector_add()", but it does call "find_dissector("ip")" to get
> ip_handle, but it doesn't use the ip_handle anywhere. Am I missing
> something there?

Yes, you're missing the latest version of Ethereal/Wireshark.  Try 
looking at the packet-acn.c in 0.99.6.
Wireshark-dev mailing list
[email protected]