Wireshark · Ethereal-dev: [Ethereal-dev] having trouble using heuristic dissector

Ethereal-dev: [Ethereal-dev] having trouble using heuristic dissector

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Saad Nader" <snader12@xxxxxxxxx>

Date: Thu, 25 May 2006 14:52:47 -0700

Hello,
I'm new to ethereal development and needed some help. I have created a heuristic dissector and associated it with all udp packets as follows:

// in the proto_reg_handoff _myproto, after checking initialized
// and creating the proto handle
heur_dissector_add("udp", heur_dissect_myproto, proto_myproto);

// The dissector looks like the following
// the previous ports:
static guint32 previous_src_port = -1;
static guint32 previous_dst_port = -1;
static gboolean heur_dissect_myproto(tvbuff_t *tvb, packet_info *pinfo,
                                                        proto_tree *tree)
{
    gshort myproto_head;
   guint8 myproto_packet_type;
   gint offset;

   offset = 0;
    // Check if there is really any data to parse!
    if (tvb_bytes_exist(tvb, 0, tvb_length_remaining(tvb, 0)) == FALSE)
        return FALSE;

    if (tvb_length_remaining(tvb, 0) < 5)
        return FALSE;

    // Check for the magic string and the type before parsing further
    myproto_head = tvb_get_ntohs(tvb, offset);

    if (myproto_head == MY_PROTO_HEAD)
        offset += 2;

    myproto_packet_type = tvb_get_guint8(tvb, offset);
    if ( myproto_head == MY_PROTO_HEAD && myproto_packet_type <= 9)
    {
        previous_src_port = pinfo->srcport;

        previous_dst_port = pinfo->destport;
        call_dissector(myproto_handle, tvb, pinfo, tree);
        return TRUE;
    }
    else if (previous_src_port == pinfo->destport &&

previous_dst_port == pinfo->srcport)
{

// I was never able to get the subtree working in the UI

// with my original dissector.

// however any packet that had the MY_PROTO_HEAD worked.

// I guess during detailed information the static vars

// get set to -1. That might be why the detailed info

// didn't show.

previous_src_port = -1;

        previous_dst_port = -1;
        call_dissector(myproto_handle, tvb, pinfo, tree);
        return TRUE;

}

return FALSE;

}

My question is why doesn't detailed information show for the else if statement? Should I just save the port off and add it as a filter, i.e. dissector_add("udp.port", pinfo->destport, myproto_handle)?

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev

Prev by Date: RE: [Ethereal-dev] Print in packet Bytes pane
Next by Date: RE: [Ethereal-dev] Print in packet Bytes pane
Previous by thread: RE: [Ethereal-dev] Print in packet Bytes pane
Next by thread: [Ethereal-dev] [Patch] Show/skip profile-specific extensions in RTCP SR/RR reports
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$