Home page logo
/

wireshark logo Wireshark mailing list archives

Re: [Wireshark-commits] master 04c39bb: Add Lua heuristic dissector support
From: Bill Meier <wmeier () newsguy com>
Date: Fri, 14 Mar 2014 17:06:39 -0400


Re;

  doc/README.heuristic          |   10 +--


+     * but ONLY do this if your heuristic sits directly on top of UDP
        or TCP (ie, you did heur_dissector
+     * otherwise you'll be overriding the dissector that called your
        heuristic dissector.


I think this is not correct. There is at least one "transport" protocol other than TCP & UDP (i.e., DCCP) which currently has a heuristic table and calls 'try_conversation()' and thus heuristic sub-dissectors can use conversation_set_dissector().

I think, in theory, any protocol associated with the known
'port_type's [1] can establish a conversation for that port_type and then have heuristic sub-dissectors which can call conversation_set_dissector().

In actuality, only a few dissectors currently do so.


How about the something like following wording:

... but only do this if your heuristic sits directly on top of
    (was called by) a dissector which established a conversation
    for the protocol "port type". IOW: directly over TCP, UDP, ...


Looking at the Wireshark dissectors: I see at least one
possibly problematical case:

packet-soupbintcp has heuristic sub-dissectors and uses try_conversation() even though it actually uses (I think) the conversation established bu packet-tcp.

I thinks this means that if packet-tcp has "try heuristic first" that things won't work right.

I'll have to research this further.

Bill



[1]
/* Types of port numbers Wireshark knows about. */
typedef enum {
    PT_NONE,            /* no port number */
    PT_SCTP,            /* SCTP */
    PT_TCP,             /* TCP */
    PT_UDP,             /* UDP */
    PT_DCCP,            /* DCCP */
    PT_IPX,             /* IPX sockets */
    PT_NCP,             /* NCP connection */
    PT_EXCHG,           /* Fibre Channel exchange */
    PT_DDP,             /* DDP AppleTalk connection */
    PT_SBCCS,           /* FICON */
    PT_IDP,             /* XNS IDP sockets */
    PT_TIPC,            /* TIPC PORT */
    PT_USB,             /* USB endpoint 0xffff means the host */
    PT_I2C,
    PT_IBQP,            /* Infiniband QP number */
    PT_BLUETOOTH
} port_type;

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]