On Sep 8, 2008, at 7:56 AM, Maynard, Chris wrote:
I do have one more question/thought about heuristic dissectors as it
pertains to TCP heuristic dissectors though. Should the
README.heuristic examples be changed to make use of tcp_dissect_pdus()
for TCP-based heuristic dissectors?
The protocol being dissected isn't specified completely enough to do
so - you'd have to specify whether the length field includes the
header or not.
With that specified, it might make sense to use tcp_dissect_pdus(), so
that we show how to write such a dissector (in particular, to show
that you *don't* call tcp_dissect_pdus() until you've figured out
whether the TCP segment is one of yours or not).
In fact, should existing Wireshark
dissectors that currently simply register as TCP heuristic
dissectors be
modified so they can take advantage of TCP reassembly? A quick grep
of
epan/dissectors/packet-*.c yields 41 such dissectors.
Yes, and so should existing Wireshark dissectors that register as TCP
*non*-heuristic dissectors.
Note that not all TCP dissectors can use tcp_dissect_pdus() to do
reassembly - only the ones where, for some value of N:
1) no PDU for the protocol is shorter than N bytes long
and
2) the length of a PDU can be determined by looking at the first N
bytes.