fabio matturro wrote:
Thank you but i m in still in doubt : (
I've had a skim-through Readme.DEVELOPER e there is nothing about
heuristic (I'm referring to Readme.DEVELOPER-ethereal-0.10.12 version).
It says even less about non-heuristic; it gives no examples of how a
dissector should register to be called.
Anyway, In the guide it says:
dissector_add("udp.port", global_foo_port, foo_handle);
tells the main program to call the dissector when it gets UDP traffic on
that port.
Let's take the http dissector: the server communicates on 80, the client
on a not predetermined port. How does client-running-ethereal know on
which port the HTTP traffic coming from the server is received?!
It's the other port number in a TCP header going to or from port 80. :-)
I.e., the TCP dissector checks both the source and destination port to
see if it's a port on which some dissector is registered.
Tell me more about heuristic (IF this is the solution)
A heuristic dissector returns a gboolean, rather than a void or an int.
The first thing it does is look at some data in the packet to see if
the packet looks as if it's a packet for that dissector's protocol and,
if not, it returns FALSE, otherwise it dissects the packet and returns TRUE.
NOTE: in the code that looks at data in the packet, the dissector
*M*U*S*T* use "tvb_bytes_exist()" or "tvb_offset_exists()" to make sure
the data is available in the tvbuff before looking at it. If not enough
data exists, the dissector should reject the packet, returning FALSE.
Once it's accepted the packet, it doesn't need to use those routines.
Note that the checks should both
1) accept all packets that *are* packets for that protocol
and
2) accept as few as possible packets that *aren't* packets for that
protocol (ideally, accept none, although that's probably impossible).