Wireshark-dev: Re: [Wireshark-dev] Developing a dissector for MODBUS-based protocol
From: Guy Harris <[email protected]>
Date: Tue, 24 Jun 2008 00:25:57 -0700
Barnes, Pat wrote:

Should just load without causing errors, and not recognise any packets
(yet). The heuristic dissector is added to "mbtcp" - because it's a
particular subset of the modbus/tcp protocol.

It builds without problems, but crashes Wireshark! (btw, where would a
relevant log file be found?)
If Wireshark were run from a terminal window in UN*X, or if TShark were 
run from a terminal/terminal window in UN*X or a console window in 
Windows, it would probably have printed a message reporting that an 
assertion had failed.
If I change "mbtcp" to just "tcp", there are no errors. (but I want to
have the dissector sit under mbtcp so that I can access the mbtcp
fields)

What is happening?
heur_dissector_add() is reporting that there's no "mbtcp" heuristic 
dissector table to which to add your dissector.  In order to support 
heuristic sub-dissectors, a dissector must register a heuristic 
sub-dissector table, and must check that table at the relevant place 
when dissecting; there's no magic way to insert heuristic dissectors 
into arbitrary places in a dissector.
You'd have to modify the MODBUS/TCP dissector to call 
dissector_try_heuristic(), with the sub-dissector table, in the 
appropriate places, such as the dissection of the data in a 
READ_WRITE_REG message.  Construct a tvbuff containing the data, and use 
that.
You'd probably want to use a name different from "mbtcp" for the table 
if it's used only for READ_WRITE_REG messages, such as "mbtcp-rwreg".