Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Writing a heuristic dissector

From: Qifan Xi <qxi@xxxxxxxxxxxxxxxxx>
Date: Mon, 20 Oct 2008 16:11:11 -0400
Hi all,

I'm new to wireshark dissector development, and am looking for some general tips and pointers to helpful docs or example code for a protocol dissector I'm writing.

The (application-layer) protocol I want to dissect does not describe a single, pre-defined port for communication but has a telltale handshake procedure that can be used to determine the beginning of that protocol's communication. It is my understanding that under these circumstances, I would need to write a heuristic dissector in order to examine all incoming packets for this handshake.

What I want to know is how to verify a multi-message handshake keep track of the protocol's "connection" once the handshake has been complete. I know that Wireshark can group collected packets into conversations based on a criteria, but I'm at a loss for how to go about using conversations in my dissector-- how to create conversations, how dissectors sequentially read packets from a conversation while maintaining persistent data about the conversation, etc. Can someone help me out in this regard?


Thanks in advance,
Qifan Xi