On Mar 6, 2009, at 10:08 AM, Stephen Fisher wrote:
Take a look at epan/dissectors/packet-udp.c in the source code. In
particular, the decode_udp_ports() function. The UDP dissector
follows
the general method for finding the next dissector to call. In the
case
of UDP, it uses the port number to find which dissector(s) has
registered itself on that udp port and then calls it. If there is
more
than one, it is expected that each one will do a heuristic check of
(usually) the first few bytes of the packet to determine if it should
accept the packet and if not, Wireshark gives it to the next dissector
registered on that port to see if it will accept it with a heuristic
check.
In addition, the UDP dissector has a list of purely-heuristic
dissectors; depending on the setting of a preference, those are either
called, one after another, before the UDP dissector tries dissectors
based on port numbers (so that a heuristic dissector can grab traffic
even if one of the ports it's coming from or going to has a UDP
dissector for it) or after the UDP dissector tries dissectors based on
port numbers. The heuristic dissectors are called regardless of the
port number; they also check (usually) the first few bytes of the
packet to decide if it should accept it or not.