ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] heuristic Dissector vs. normal dissector

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Wed, 27 Aug 2008 18:25:33 -0400
Wireshark will first[1] try giving a given packet to port-registered dissectors. If any of them accept the message, it's done. If none of them take the message (or there are no port-registered dissectors on that port), Wireshark will give the packet to each heuristic TCP dissector, one after the other, until one accepts the packet.
[1] TCP has a "try heuristic subdissectors first" option which makes it try the heuristic dissectors before the port-registered ones. 

Tom Stevens wrote:

Thanks for the information!
But, without a Port number, how can wireshark find (identify) the correct dissector for the incoming packets. What are specific criteria? Maybe you can give me an example. I'm a bit slow on the uptake at the moment. 

Greetings Tom (Germany)



2008/8/27 Kumar, Hemant <kumarh@xxxxxxxxxxxx <mailto:kumarh@xxxxxxxxxxxx>>

    Basically Heuristic Dissector means that your dissector will accept
    all the Traffic Packets and will not segregate based on port number.

    So to identify your own custom dissector protocol messages you have
    to separate out the packets based on certain criteria specific to your

    Protocol.

    And a normal dissector is registered with the Wireshark  based on
    port information which tells the Wireshark on which port your message is

    Going to be exchanges.


    I hope it clarifies.


    Hemant.


    ------------------------------------------------------------------------

    *From:* wireshark-dev-bounces@xxxxxxxxxxxxx
    <mailto:wireshark-dev-bounces@xxxxxxxxxxxxx>
    [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx
    <mailto:wireshark-dev-bounces@xxxxxxxxxxxxx>] *On Behalf Of *Tom Stevens
    *Sent:* Wednesday, August 27, 2008 2:24 PM
    *To:* wireshark-dev@xxxxxxxxxxxxx <mailto:wireshark-dev@xxxxxxxxxxxxx>
    *Subject:* [Wireshark-dev] heuristic Dissector vs. normal dissector


    Hi!

    What are the differences between a heuristic dissector and a normal
    dissector. So far i have not considered heuristic dissectors,
    because I did not know what they are and how to use them.
    Maybe you can help!

    Thanks in advance Tom (Germany)


    _______________________________________________
    Wireshark-dev mailing list
    Wireshark-dev@xxxxxxxxxxxxx <mailto:Wireshark-dev@xxxxxxxxxxxxx>
    https://wireshark.org/mailman/listinfo/wireshark-dev



------------------------------------------------------------------------

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube