> Thanks for the answers, I'm begining to throw together a small netlib
> dissector (since it is such a simple protocol). I'm running into one
> problem that I can't seem to find the answer to. Many of the protocols
> depend on there being a well known port to which data is being sent.
> While MS SQL server has a default port of 1433, but it's not fixed.
> Looking though the code it seems I have to add some heuristics to detect
> the protocol and point it at my dissector.
There are actually two choices:
1) use a heuristic dissector, which might be a pain (you'd have
to figure out the heuristic, *and*, if not strict enough, it
might end up causing your dissector to grab stuff that's not,
in fact, MS SQL traffic);
2) let the user specify the port to be used, as a preference,
which means that if it's not using the default port, the user
has to go in and tweak things.
> Is there any documentation on this?
Not really. Search for "heur_dissector_add()" and look at the modules
in which it's called, for examples of heuristic dissectors. See, for
example, the Quake dissector for an example of user-settable ports.
