Wireshark-dev: Re: [Wireshark-dev] Two dissectors on same TCP port?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 30 Sep 2009 11:43:29 -0700

On Sep 30, 2009, at 11:30 AM, Alex Lindberg wrote:

I am creating a custom dissector that runs on a TCP port already covered by one of the standard dissectors.

How do can I overload the dissector registration so that if the unique condistion exist for my custom dissector my dissector will be used, otherwise pass control back to Wireshark?

What is the unique condition?

Is it something in the contents of the packet, or is it a preference setting, or is it something else?

One way to do this would be to make your dissector a heuristic dissector, have it check for the port number and the unique condition (if there's a match, dissect and return TRUE, otherwise return FALSE), and set the TCP preference to run the heuristic dissectors first.