mailing list archives
Re: Heuristic Dissector Priority
From: Richard Maudsley <richard.maudsley () powwownow com>
Date: Mon, 22 Apr 2013 16:40:54 +0000
Hi Evan, thanks for your reply.
I saw the functions register_postdissector and call_all_postdissectors in packet.h. I'm really looking for something
that does the opposite ("predissector"?) for heuristic dissectors. Is there some way to achieve this?
I don't consider it to be a bug in the built-in dissector, it's working just fine! My plugin handles a subset of the
protocol that the built-in dissector implements - a missing feature, if you like - hence the need for a plugin.
Richard Maudsley | Junior Systems Developer
Office: +44 (0)207 990 0900 | Fax: +44 (0)203 355 4262
UK Office: First Floor, Vectra House, 36 Paradise Road, Richmond, TW9 1SE
The information contained in this email and attachments is confidential and is intended for the exclusive use of the
individual(s) or organisation(s) specified herein. Unauthorised dissemination, copying of content, misuse or wrongful
disclosure of information contained herein is strictly prohibited and may be illegal. Views expressed in this message
are those of the individual sender, unless the sender specifically states them to be the views of an
organisation/employer. If you have received this email in error, delete it and contact the sender on +44 207 990 0900.
Please rely on your own virus check as no responsibility is taken by the sender for damage arising from any virus
infection this communication may contain
From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Evan Huus
Sent: 22 April 2013 17:22
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Heuristic Dissector Priority
On Mon, Apr 22, 2013 at 12:11 PM, Richard Maudsley <richard.maudsley () powwownow com<mailto:richard.maudsley ()
powwownow com>> wrote:
My plugin registers a UDP heuristic dissector which handles several protocols multiplexed on the same port. This is
working fine, except that one of the built-in Wireshark dissectors is picking up packets before I get a chance to see
them and blocks my dissector from running, even though I would be able to return TRUE from the dissector procedure and
handle the packet.
If the dissector is incorrectly picking up the packet (ie it thinks it contains protocol X, but it doesn't) then file a
bug against the heuristic used. If the dissector is correctly picking up the packet (ie the packet actually contains
protocol X) then why does your plugin need to handle it? Presumably whatever you need to do can be done by improving
the existing dissector or by using a tap.
At first I started looking for some sort of priority setting (a simple integer precedence on the dissector would have
made sense), but it doesn't look like such a thing exists. Then I started looking into more complicated solutions, such
as disabling the offending dissector, allowing my dissector to run, and invoking it afterwards as a sub-dissector.
I'm a bit confused by this - are you wrapping an existing protocol in some special header, but the existing heuristic
is skipping the header and jumping straight to the payload?
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org>
mailto:wireshark-dev-request () wireshark org?subject=unsubscribe