Wireshark-dev: Re: [Wireshark-dev] Stop dissection in get_pdu_len
From: Tobias Weiss <[email protected]>
Date: Thu, 24 May 2012 14:18:36 -0400

Jakub Zawadzki wrote on 05/24/2012 01:02:40 PM:
> tcp_dissect_pdus() splits one big tvb into smaller ones. No big magic.
> So it should be possible to write something like:
> bool dissect_heur(tvb, pinfo, tree)
> {
>   offset = 0;
>   while (tvb_reported_length_remaining(tvb, offset) > minimal_packet_len)
>      if (!valid_header)
>       return FALSE;
>      offset += your_proto_get_pdu_len(pinfo, tvb, offset);
>   }
>   tcp_dissect_pdus(tvb, pinfo, tree, ..., your_proto_get_pdu_len,
> your_proto_dissect_pdu)
>   return TRUE;
> }
> It's better to copy whole tcp_dissect_pdus() semantic, that's why I
> proposed you to write
> new function.
> > but what should I do if I can? Currently  I'm calling
> expert_add_info_* and return without doing anything.
> > But in this case the user does not even see a warning as long as
> he does not open the Expert
> > Info window.
> Well if it's heurestic dissector just return, if it's not you
> probably don't need to test it :)

I just read about heuristic dissectors after you mentioned them. While
reading the README.heuristig I figured out that instead of using
create_dissector_handle() I would be better off with
new_create_dissector_handle(). The only reason I'm using tcp_dissect_pdus()
is because sometimes my messages are split over 2 or more TCP frames. I
guess using new_create_dissector_handle() and returning a negative value in
that case would be 1) much easier and 2) a bit faster, right??