Wireshark-dev: Re: [Wireshark-dev] Recursive Heuristic Dissectors calls

From: Chris Maynard <Chris.Maynard@xxxxxxxxx>
Date: Tue, 24 Jan 2012 21:47:19 +0000 (UTC)
Alex Lindberg <alindber@...> writes:

> I have a custom protocol that uses a well know TCP port and a such have
connected a heuristic dissector to tcp.My dissector works fine if there is only
my custom protocol in the packet, but I have run into a case where the first
part of the packet has several groups of my protocol, but at the end is a normal
h248 chunk of data.How should I handle this?  I would like for the TCP dissector
to try a heuristic dissector look up after each chuck of custom data.  After a
quick look at the TCP dissector, it  appears that "dissector_try_heuristic",
defined in epan/proto.c, is called only once per packet. Any ideas?  Thanks as
always.Alex Lindberg

I didn't see anyone follow up with this and I meant to earlier but it slipped
through the cracks ...

I think perhaps what might be needed are "new-style" heuristic dissectors,
similar to the new-style regular dissectors.  Instead of simply returning
TRUE/FALSE, it would return the number of bytes it consumed so that the calling
dissector can keep looping with the remaining bytes to be dissected, rather than
only calling one heuristic dissector per packet.

- Chris