Ethereal-dev: Re: [Ethereal-dev] RE: Missing UUID inference

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 24 Oct 2003 23:35:14 -0700
On Fri, Oct 24, 2003 at 08:44:49PM -0700, Guy Harris wrote:
> No, what a heuristic dissector does is
> 
> 	1) check whether the data it'll look at in order to determine if the 
> packet is for it is present in the tvbuff - if not, it says "this 
> packet isn't mine";
> 
> 	2) check that data to see if it looks as if the packet is for it 
> (which won't throw an exception, because of the check in 1) - if it's 
> not, it says "this packet isn't mine";
> 
> 	3) otherwise, it dissects the packet and, if no exception is thrown, 
> it says "this packet is mine".  If an exception *is* thrown, no other 
> dissector is tried.

...but what your stuff does is actually do dissection.

This means, of course, that it has to do it *without* building a
protocol tree (unless you add stuff to *remove* any partial dissection
from the tree), *and* without modifying any of the columns (unless you,
again, undo all it did).

It also means that, as with heuristic dissectors, it won't necessarily
work if you have short frames or un-reassembled PDUs - but it's more
likely to fail in that case, as it has to decode the entire packet.

That might be sufficient to make it work well enough.  Once you find a
dissector that's willing to dissect it (hopefully that'll be the right
one, not one that accidentally happens to succeed), you'd mark the
conversation as using that protocol, so you don't have to do that for
every packet.