Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] heur_dissector_add()

From: "David Aggeler" <david_aggeler@xxxxxxxxxx>
Date: Thu, 22 Mar 2018 11:50:07 +0100

 

I’m intending to re-enable the heuristic part in the DICOM dissector. So I read though the updates readme and some other dissector, and to my surprise, the return value of the heuristic still is supposed to be boolean, where the static one returns int.

 

Implementation wise, by now I kind of only see ‘return tvb_captured_length(tvb)’. Wasn’t this consumed bytes or needed bytes at some point? I used to return the same int also in heuristic part and never had an issue, but it looks wrong.

 

I did not understand that 8 years back, and I still don’t. Does it mean a heuristic can’t re-assemble?

Can someone explain today’s difference to me?

 

The other part that seems to have changed are the settings for this. Is it not desired anymore, that the use can select at dissector level, whether it shall do the heuristic math or not?

 

Regards

David