Wireshark-dev: Re: [Wireshark-dev] Define dissector port
From: "Hal Lander" <hal_lander@xxxxxxxxxxx>
Date: Mon, 22 Jan 2007 03:52:29 -0900
Jaap,

Thanks I can see what is intended now.

Hal


From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Reply-To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] Define dissector port
Date: Sun, 21 Jan 2007 19:29:51 +0100 (CET)

Hi,

Lets see how it works. From packet.c:

heur_dissector_add()
{
  sub_dissectors = find_heur_dissector_list(name);
  *sub_dissectors = g_slist_append(*sub_dissectors, (gpointer)dtbl_entry);
}

Where name is "tcp" and dtbl_entry is your protocols dissector information.

When the TCP dissector is ready to search for subdissectors it calls:
dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree))
which loops over the registered dissectors calling them one by one until
one returns TRUE.

for (entry = sub_dissectors; entry != NULL; entry = g_slist_next(entry)) {
	if ((*dtbl_entry->dissector)(tvb, pinfo, tree)) {
		status = TRUE;
		break;
	}
}

So it comes down to the order in which the dissectors are added to the
heurstic sub dissector list, which in turn depends on the order in which
they are registered with register_all_protocols(). This function is
generated by means of a make-dissector-reg script which takes the order
from the symbol DISSECTOR_SRC.
So, depending on where you've added your dissector in the list determines
the order in which the heuristic dissectors are called.

The question is, should the order of dissectors matter? The design
says No.
It says that because it has the point of view that the heuristics in the
dissector should be smart enough to figure out if the payload handed over
to it is actually the protocol it dissects. So, the point of improvement
is in the heuristics, either yours or from other dissectors.

A work around with the current release is just simply to disable the
dissector of the protocols you're not interested in. This largely improves
the experience with current heuristic dissectors.

Thanx,
Jaap

On Sun, 21 Jan 2007, Hal Lander wrote:

> Thanks Jaap,
>
> I used heur_dissector_add for the parent protocol "tcp" and things seem to
> be working.
> I would like to understand a bit more about what is going on though.
>
> There is a function
>      /* Find a dissector table by table name. */
>      extern dissector_table_t find_dissector_table(const char *name);
>
> So after I have added my heuristic dissector I should be able to call
>     tbl=find_dissector_table("tcp");
>
> and see my dissector?
>
> Does anybody have a code snippit to show how to loop the table and see the
> dissectors?
> Where is the table structure defined?
>
> Most importantantly what determines the order in which the heuristic
> dissectors are called, and how can I make sure mine is called first?
>
> TIA
> Hal
>
> /** Add a sub-dissector to a heuristic dissector list.
> *  Call this in the proto_handoff function of the sub-dissector.
> *
> * @param name the name of the "parent" protocol, e.g. "tcp"
> * @param dissector the sub-dissector to be registered
> * @param proto the protocol id of the sub-dissector
> */
> extern void heur_dissector_add(const char *name, heur_dissector_t dissector,
>     int proto);
>
>
>
> >From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
> >Reply-To: Developer support list for Wireshark
> ><wireshark-dev@xxxxxxxxxxxxx>
> >To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
> >Subject: Re: [Wireshark-dev] Define dissector port
> >Date: Tue, 16 Jan 2007 20:39:19 +0100 (CET)
> >
> >Hi,
> >
> >Have a look in epan/packet.h and search for "heur".
> >
> >Thanx,
> >Jaap
> >
> >On Tue, 16 Jan 2007, Hal Lander wrote:
> >
> > > I am still struggling with this.
> > > Is there any documentation on heur_dissector_add and where/how to call
> >it?
> > >
> > > Also I presume from Guy's posting I have to add my protocol into some
> > > tables?
> > >
> > > Hal
> > >
> > > >From: "sharon lin" <sharon.lin.1@xxxxxxxxx>
> > > >Reply-To: Developer support list for Wireshark
> > > ><wireshark-dev@xxxxxxxxxxxxx>
> > > >To: "Developer support list for Wireshark"
> ><wireshark-dev@xxxxxxxxxxxxx>
> > > >Subject: Re: [Wireshark-dev] Define dissector port
> > > >Date: Tue, 16 Jan 2007 17:51:11 +0200
> > > >
> > > >Add
> > > >heur_dissector_add("udp", dissect_fring, proto_fring);
> > > >   heur_dissector_add("tcp", dissect_fring, proto_fring);
> > > >
> > > >On 1/16/07, Hal Lander <hal_lander@xxxxxxxxxxx> wrote:
> > > >>
> > > >>The word 'heuristic' only appears once in 'readme.developer', and
> >although
> > > >>I
> > > >>have skimmed through the whole document I seem to have missed where it
> > > >>tells
> > > >>you how to make a dissector heuristic.
> > > >>
> > > >>Can you be more specific about where there is an example?
> > > >>Can plugins be heuristic dissectors?
> > > >>
> > > >>Once a dissector is heuristic will it just look on all ports?
> > > >>
> > > >>Hal
> > > >>
> > > >>
> > > >>
> > > >> >From: Guy Harris <guy@xxxxxxxxxxxx>
> > > >> >Reply-To: Developer support list for Wireshark
> > > >> ><wireshark-dev@xxxxxxxxxxxxx>
> > > >> >To: Developer support list for Wireshark
> ><wireshark-dev@xxxxxxxxxxxxx>
> > > >> >Subject: Re: [Wireshark-dev] Define dissector port
> > > >> >Date: Mon, 15 Jan 2007 10:37:39 -0800
> > > >> >
> > > >> >Hal Lander wrote:
> > > >> > > Is there a way to get a dissector to run on all ports?
> > > >> >
> > > >> >A dissector that runs on all ports would have to be a heuristic
> > > >> >dissector (otherwise, you wouldn't be able to dissect any TCP/UDP
> > > >> >traffic except for traffic for your protocol).
> > > >> >
> > > >> >So the way you'd do that would be to have your dissector be able to
> >look
> > > >> >at a packet and determine whether it's a packet for your protocol or
> > > >> >not, and use a check for that sort in your dissector.  See
> > > >> >doc/README.developer for information on how to make a heuristic
> > > >> >dissector.  The name of the heuristic dissector table for TCP is
> >"tcp",
> > > >> >and the table for UDP is "udp".
> > >
> > >
> >
>

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev

_________________________________________________________________
Type your favorite song.  Get a customized station.  Try MSN Radio powered by Pandora. http://radio.msn.com/?icid=T002MSN03A07001