Wireshark-dev: Re: [Wireshark-dev] heuristic Dissector vs. normal dissector

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Kumar, Hemant" <kumarh@xxxxxxxxxxxx>
Date: Wed, 27 Aug 2008 15:14:07 -0700

 

Please ignore the previous response.

So The Wireshark will not identify your dissector.

Basically lets assume your protocol dissector runs under TCP then , if you have heuristically registered

Your dissector with the function

 

heur_dissector_add("tcp", dissect_your_protocol_tcp, proto_your protocolrefernce);

 

Then TCP will handle the payload to your dissector for further parsing.

Now if you know that the first two bytes of the payload are a identifier

For your proticol then you can confirm it and then only accept

To dissect to that packet otherwise you can reject that.

That what I mean by setting certain criteria to filter out your interest of packets.

 

Thanks

Hemant

 

From: Kumar, Hemant
Sent: Wednesday, August 27, 2008 3:11 PM
To: 'Developer support list for Wireshark'
Subject: RE: [Wireshark-dev] heuristic Dissector vs. normal dissector

 

The Wireshark will not identify your dissector.

Basically lets assume your protocol dissector runs under TCP then , if you have heuristically registered

Your dissector with the ffunction

 

heur_dissector_add("tcp", dissect_your_protocol_tcp, proto_your protocolrefernce);

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Tom Stevens
Sent: Wednesday, August 27, 2008 2:57 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] heuristic Dissector vs. normal dissector

 

Thanks for the information!

But, without a Port number, how can wireshark find (identify) the correct dissector for the incoming packets. What are specific criteria? Maybe you can give me an example. I'm a bit slow on the uptake at the moment.

Greetings Tom (Germany)

2008/8/27 Kumar, Hemant <kumarh@xxxxxxxxxxxx>

Basically Heuristic Dissector means that your dissector will accept all the Traffic Packets and will not segregate based on port number.

So to identify your own custom dissector protocol messages you have to separate out the packets based on certain criteria specific to your

Protocol.

And a normal dissector is registered with the Wireshark  based on port information which tells the Wireshark on which port your message is

Going to be exchanges.

 

I hope it clarifies.

 

Hemant.

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Tom Stevens
Sent: Wednesday, August 27, 2008 2:24 PM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] heuristic Dissector vs. normal dissector

 

Hi!

What are the differences between a heuristic dissector and a normal dissector. So far i have not considered heuristic dissectors, because I did not know what they are and how to use them.
Maybe you can help!

Thanks in advance Tom (Germany)


_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev