Wireshark-dev: Re: [Wireshark-dev] Register dissector to MAC address
Date: Tue, 13 Nov 2007 18:19:13 +0100
Title: Re: [Wireshark-dev] Register dissector to MAC address

Thanks for your advises, I will check if I can find a way to do heuristic dissecting.



Von: [email protected] [mailto:[email protected]] Im Auftrag von Maynard, Chris
Gesendet: Montag, 12. November 2007 23:13
An: Developer support list for Wireshark
Betreff: RE: [Wireshark-dev] Register dissector to MAC address


At first glance, packet-eth.c seems to have heuristic support, but it doesn't appear to work, at least not how I expected it to.  For example, originally for the WOL dissector, I registered as I do for UDP, namely:

    heur_dissector_add("eth", dissect_wol, proto_wol);


But registering it that way didn't work for me, so it's been changed to:

    dissector_add("ethertype", ETHERTYPE_WOL, wol_handle);


I didn't dig too deeply into why it failed since I had a reasonable alternative, but I suppose I should have.  It now seems to me to be a bug in packet-eth.c, but I'm not entirely sure, based on the comments in the code.


First, compare the way a dissector like packet-udp.c tries the heuristic dissectors, using the "next_tvb":

    next_tvb = tvb_new_subset(tvb, offset, len, reported_len);

    if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree))

Now look at how packet-eth.c does it:

    if (dissector_try_heuristic(heur_subdissector_list, tvb, pinfo, parent_tree))
        goto end_of_eth;

Notice that there's no "next_tvb".  I assumed that this was intentional when I looked at it before, but now I'm not so sure.  A bug?  It now sure looks like it to me.  I couldn't find any other dissectors that try to heuristically register to "eth" as I tried above.  Perhaps because it doesn't work?  If it is a bug, then once that's corrected, then that would be the better way to register both WOL and the original poster's dissector - heuristically.


- Chris


From: [email protected] on behalf of Stephen Fisher
Sent: Mon 11/12/2007 12:50 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Register dissector to MAC address

On Mon, Nov 12, 2007 at 12:37:10PM -0500, Maynard, Chris wrote:

> Can anyone think of a reason NOT to add heuristic dissection support
> to packet-eth.c?  Or does anyone have a better/alternate way to solve
> this?

My first thought is that the original poster's dissector could be a
heuristic that checks against the MAC address when deciding whether to
acccept the packet or not.  Does this need changes to packet-eth.c?  I'm
not sure, but could find out by researching the code a bit.


Wireshark-dev mailing list
[email protected]

Hilscher Gesellschaft fur Systemautomation mbH
Rheinstr. 15, 65795 Hattersheim
Sitz der Gesellschaft: Hattersheim
Geschaftsfuhrer: Hans-Jurgen Hilscher
Registergericht: Amtsgericht Frankfurt/Main
Handelsregister: Frankfurt B 26873