Wireshark-dev: Re: [Wireshark-dev] custom dissector

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 27 Apr 2012 11:33:28 -0700
On Apr 27, 2012, at 9:26 AM, Chad Milam wrote:

> I've written two relatively simple dissectors and gotten them to work under some basic conditions. However, the protocols can use random ports (not inside of a single conversation, but generally speaking).  Also, the protocols are not easily identified by any marker inside of the protocol, making heuristics not terribly ideal.  Both of them are based on UDP.
> 
> Is there a way I can get the protocol dissector plugin to show up in the decode as menu, and not have them do any real work until it is selected?

In the "register handoffs" routine for your dissector, register it in the "udp.port" dissector table with

	dissector_add_handle("udp.port", {handle for your dissector});

This makes it eligible for "Decode As..." with a UDP port, but doesn't actually register it with any particular UDP port value.

That's the best choice if the ports are truly randomly chosen, so that, for any given conversation, there's very little chance that the same ports that the previous conversation at which you looked will be used.

If there is significantly less randomness, Beth's suggestion might be more convenient, as a preference will be remembered.