Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Register dissector to MAC address

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 18 Dec 2007 02:38:50 -0800
Maynard, Chris wrote:

Then there's the downside of changing the existing behavior - meaning
pretty much every packet will have to be scanned to determine if it
contains the MagicPacket or not since theoretically, the MagicPacket can
occur within ANY packet (i.e., ANY Ethertype).

However, if the MagicPacket value appears within, for example, a packet with an Ethertype of 0x0800, that packet had better be a valid IPv4 packet, or the recipient is likely to get *really* upset.

I.e., such a packet isn't going to be a magic packet, in the sense of a packet that should be parsed as a magic packet rather than an IPv4 packet.

So the heuristics should, in that case, be done *after* the Ethertype is checked, and only packets that don't match any of the known Ethertypes should be checked against the heuristics.

Unfortunately, that might cause problems for the "no Ethertype assigned, but these are only sent to a particular MAC address" packets, if they happen to be given a standard Ethertype. We might want to add a new dissector table type, with the key being a MAC address rather than an unsigned integer or a string, and use that.