metatech wrote:
> - I tried to remove the registration of the 1414 port, but in that case it
> is impossible to do a "Decode as..." with MQ... (for instance
> if another dissector stole the packet). Is there any trick (like creating
> two protocol handles, one is dummy and the other one is real) ?
Yes you don't have to have a port number (example from packet-rtp.c)
dissector_add_handle("udp.port", rtp_handle);
> - Also I haven't found a way to "NAK" a packet once it is passed to a
> dissector through a port match, is there a way to pass it to another
> dissector ? (like the return boolean for the heuristic method).
Yes there is a new_create_dissector_handle that you can use (see example in
packet-aim).
As you see dissect_aim returns an int. The return value is set to 0 if it's
not an AIM packet.
==============================================
aim_handle = new_create_dissector_handle(dissect_aim, proto_aim);
=========================================
static int dissect_aim(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
/* check, if this is really an AIM packet, they start with 0x2a */
/* XXX - I've seen some stuff starting with 0x5a followed by 0x2a */
if(tvb_bytes_exist(tvb, 0, 1) && tvb_get_guint8(tvb, 0) != 0x2a) {
/* Not an instant messenger packet, just happened to use the same port
*/
/* XXX - if desegmentation disabled, this might be a continuation
packet, not a non-AIM packet */
return 0;
}
tcp_dissect_pdus(tvb, pinfo, tree, aim_desegment, 6, get_aim_pdu_len,
dissect_aim_pdu);
return tvb_length(tvb);
}