Wireshark-dev: Re: [Wireshark-dev] why cannot I use heur_dissector_add("ip", .....

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 26 Jun 2011 11:58:17 -0700
On Jun 25, 2011, at 11:45 PM, John x wrote:

> but here I want to use ip.ttl to instruct wireshark to handoff packet to my dissector.

Why?  The TTL value changes in-flight, so it cannot be meaningfully used to distinguish what protocol is being carried in an IP packet.

> In my specific situation, ip.ttl is my only way to distinguish my packets.

What is your specific situation?  What is it you're trying to do?