Comment # 21
on bug 8239
from Michael Mann
(In reply to comment #19)
> You may be able to use the
> "conversation API"
> mentioned in doc\README.developer, section 2.2. Perhaps
> the logic should
> be (pseudocode):
>
> if first 4 bytes == "SSTP"
> then
> create_conversation()
> dissect_sstp()
> return TRUE
> else if
> find_conversation("SSTP")
> dissect_sstp()
> return TRUE
> else
>
> return FALSE
yes, but this only works if wireshark saw the one initial
> packet with the "SSTP" string as described above.
SSTP sessions that were
> already at an "established" state before the capture was started, would
> simply not be recognized as such and therefore not dissected.
That's where Decode As... comes in. What should cover both scenarios is:
void
proto_reg_handoff_sstp(void)
{
static dissector_handle_t sstp_handle;
sstp_handle = create_dissector_handle(dissect_sstp, proto_sstp);
dissector_add_handle("tcp.port", sstp_handle);
/* heur_dissect_sstp() function is algorithm described in comment #18 */
heur_dissector_add("tcp", heur_dissect_sstp, proto_sstp);
}
OR
You can register the TCP port as a "preference". Not sure if it should default
to 443 or 0. I would lean towards 0 since it's not an IANA registered value.
Numerous dissectors have examples on how to do this.
You are receiving this mail because:
- You are watching all bug changes.