Wireshark-dev: Re: [Wireshark-dev] question(s) on the use of heur_dissector_add

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 20 Sep 2006 18:27:18 -0700
Brian Vandenberg wrote:

As far as I can tell, basically, I can't use a heuristic dissector to dissect anything http has already looked at if another dissector has registered itself as a subdissector for the given port. Is that about accurate?

Yes.

The same problem exists with TCP or UDP if the "Try heuristic sub-dissectors first" preference isn't set. If it *is* set, a heuristic dissector with too-weak heuristics (i.e., one that accepts packets that aren't for the protocol in question) can grab packets not for it and not let dissectors registered for ports see the packets.

Perhaps the HTTP dissector should have a similar preference.

BTW, does your protocol (which I assume runs atop HTTP) have a Content-Type (media type) value associated with it? If so, you might want to register that media type in the "media_type" string dissector table.