Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Enhancement of built-in dissector

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 26 Aug 2011 03:08:55 -0700
On Aug 26, 2011, at 2:15 AM, <HPfrommer@xxxxxxxxxxxx> wrote:

> some time ago I submitted a patch (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6082) to enhance some features of a built in dissector.
> Unfortunately, nothing happened so far. I know you guys are quite busy, but I would appreciate if someone could check the patch, to have it available with the next releases.

I checked it, and I refuse to check it in for any release - the very notion of a heuristic dissector for the frame dissector makes no sense whatsoever, as the contents of the frame depend on the link-layer type of the frame.

As I said in the bug:

The very notion of a heuristic dissector running directly atop the "frame" dissector is nonsensical; the contents of the frame depend on the link-layer type of the frame; you don't know whether the frame is an Ethernet frame or an 802.11 frame or an 802.11 frame with a radiotap header or an 802.11 frame with a PRISM header or a Token Ring frame or an FDDI frame or a PPP frame or a BSD loopback interface frame or a raw IP frame or an ATM AAL5 frame with some particular flavor of pseudo-header or....

If Hilscher made the huge mistake of putting into a pcap file with a link-layer type of 1 (LINKTYPE_ETHERNET/DLT_EN10MB) frames that have a netANALYZER-specific header, followed by a regular Ethernet frame, that's their mistake, not ours; if they want to put their frames into pcap files, they should request a LINKTYPE_/DLT_ value for their packets from tcpdump-workers@xxxxxxxxxxxxxxxxx, and contribute code for Wireshark that adds a new WTAP_ENCAP_ value for that LINKTYPE_ value, maps that LINKTYPE_ value to the new WTAP_ENCAP_ value, and adds a dissector for that WTAP_ENCAP_ value.