Hi,
Jakub Zawadzki wrote on 05/24/2012 01:02:40 PM:
> tcp_dissect_pdus() splits one big tvb into smaller ones. No big magic.
> So it should be possible to write something like:
>
> bool dissect_heur(tvb, pinfo, tree)
> {
> offset = 0;
> while (tvb_reported_length_remaining(tvb, offset) > minimal_packet_len)
{
> if (!valid_header)
> return FALSE;
>
> offset += your_proto_get_pdu_len(pinfo, tvb, offset);
> }
> tcp_dissect_pdus(tvb, pinfo, tree, ..., your_proto_get_pdu_len,
> your_proto_dissect_pdu)
> return TRUE;
> }
>
> It's better to copy whole tcp_dissect_pdus() semantic, that's why I
> proposed you to write
> new function.
>
> > but what should I do if I can? Currently I'm calling
> expert_add_info_* and return without doing anything.
> > But in this case the user does not even see a warning as long as
> he does not open the Expert
> > Info window.
>
> Well if it's heurestic dissector just return, if it's not you
> probably don't need to test it :)
I just read about heuristic dissectors after you mentioned them. While
reading the README.heuristig I figured out that instead of using
create_dissector_handle() I would be better off with
new_create_dissector_handle(). The only reason I'm using tcp_dissect_pdus()
is because sometimes my messages are split over 2 or more TCP frames. I
guess using new_create_dissector_handle() and returning a negative value in
that case would be 1) much easier and 2) a bit faster, right??
Thanks!
Tobi