Wireshark-dev: Re: [Wireshark-dev] Stop dissection in get_pdu_len
From: Jakub Zawadzki <[email protected]>
Date: Thu, 24 May 2012 19:02:40 +0200
On Thu, May 24, 2012 at 12:29:58PM -0400, Tobias Weiss wrote:
> Jakub Zawadzki wrote on 05/24/2012 12:02:50 PM:
> > You can't. But you can check header before calling tcp_dissect_pdus().
> > But it'd be good to have some tcp_dissect_pdus_heur(), feel free to
> > write one :-)
> 
> Ok, but it's not always possible to verify the header before
> tcp_dissect_pdus(), 

tcp_dissect_pdus() splits one big tvb into smaller ones. No big magic.
So it should be possible to write something like:

bool dissect_heur(tvb, pinfo, tree)
{
  offset = 0;
  while (tvb_reported_length_remaining(tvb, offset) > minimal_packet_len) {
     if (!valid_header)
	   return FALSE;

     offset += your_proto_get_pdu_len(pinfo, tvb, offset);
  }
  tcp_dissect_pdus(tvb, pinfo, tree, ..., your_proto_get_pdu_len, your_proto_dissect_pdu)
  return TRUE;
}

It's better to copy whole tcp_dissect_pdus() semantic, that's why I proposed you to write 
new function.

> but what should I do if I can? Currently  I'm calling expert_add_info_* and return without doing anything. 
> But in this case the user does not even see a warning as long as he does not open the Expert
> Info window.

Well if it's heurestic dissector just return, if it's not you probably don't need to test it :)