Home page logo
/

wireshark logo Wireshark mailing list archives

Re: Heuristic Dissector Priority
From: Richard Maudsley <richard.maudsley () powwownow com>
Date: Mon, 22 Apr 2013 16:40:54 +0000

Hi Evan, thanks for your reply.

I saw the functions register_postdissector and call_all_postdissectors in packet.h. I'm really looking for something 
that does the opposite ("predissector"?) for heuristic dissectors. Is there some way to achieve this?

I don't consider it to be a bug in the built-in dissector, it's working just fine! My plugin handles a subset of the 
protocol that the built-in dissector implements - a missing feature, if you like - hence the need for a plugin.

Regards, Richard

Richard Maudsley | Junior Systems Developer
Office: +44 (0)207 990 0900 | Fax: +44 (0)203 355 4262
UK Office: First Floor, Vectra House, 36 Paradise Road, Richmond, TW9 1SE
Website: www.powwownow.co.uk<http://www.powwownow.co.uk/>

[Description: http://images.powwownow.com/signature-pwn-tt-b2b.png]

The information contained in this email and attachments is confidential and is intended for the exclusive use of the 
individual(s) or organisation(s) specified herein. Unauthorised dissemination, copying of content, misuse or wrongful 
disclosure of information contained herein is strictly prohibited and may be illegal. Views expressed in this message 
are those of the individual sender, unless the sender specifically states them to be the views of an 
organisation/employer. If you have received this email in error, delete it and contact the sender on +44 207 990 0900. 
Please rely on your own virus check as no responsibility is taken by the sender for damage arising from any virus 
infection this communication may contain

From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Evan Huus
Sent: 22 April 2013 17:22
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Heuristic Dissector Priority

On Mon, Apr 22, 2013 at 12:11 PM, Richard Maudsley <richard.maudsley () powwownow com<mailto:richard.maudsley () 
powwownow com>> wrote:
My plugin registers a UDP heuristic dissector which handles several protocols multiplexed on the same port. This is 
working fine, except that one of the built-in Wireshark dissectors is picking up packets before I get a chance to see 
them and blocks my dissector from running, even though I would be able to return TRUE from the dissector procedure and 
handle the packet.

If the dissector is incorrectly picking up the packet (ie it thinks it contains protocol X, but it doesn't) then file a 
bug against the heuristic used. If the dissector is correctly picking up the packet (ie the packet actually contains 
protocol X) then why does your plugin need to handle it? Presumably whatever you need to do can be done by improving 
the existing dissector or by using a tap.

At first I started looking for some sort of priority setting (a simple integer precedence on the dissector would have 
made sense), but it doesn't look like such a thing exists. Then I started looking into more complicated solutions, such 
as disabling the offending dissector, allowing my dissector to run, and invoking it afterwards as a sub-dissector.

I'm a bit confused by this - are you wrapping an existing protocol in some special header, but the existing heuristic 
is skipping the header and jumping straight to the payload?

Cheers,
Evan

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]