Wireshark-dev: Re: [Wireshark-dev] heuristic Dissector vs. normal dissector
Wireshark will first[1] try giving a given packet to port-registered
dissectors. If any of them accept the message, it's done. If none of
them take the message (or there are no port-registered dissectors on
that port), Wireshark will give the packet to each heuristic TCP
dissector, one after the other, until one accepts the packet.
[1] TCP has a "try heuristic subdissectors first" option which makes it
try the heuristic dissectors before the port-registered ones.
Tom Stevens wrote:
Thanks for the information!
But, without a Port number, how can wireshark find (identify) the
correct dissector for the incoming packets. What are specific criteria?
Maybe you can give me an example. I'm a bit slow on the uptake at the
moment.
Greetings Tom (Germany)
2008/8/27 Kumar, Hemant <kumarh@xxxxxxxxxxxx <mailto:kumarh@xxxxxxxxxxxx>>
Basically Heuristic Dissector means that your dissector will accept
all the Traffic Packets and will not segregate based on port number.
So to identify your own custom dissector protocol messages you have
to separate out the packets based on certain criteria specific to your
Protocol.
And a normal dissector is registered with the Wireshark based on
port information which tells the Wireshark on which port your message is
Going to be exchanges.
I hope it clarifies.
Hemant.
------------------------------------------------------------------------
*From:* wireshark-dev-bounces@xxxxxxxxxxxxx
<mailto:wireshark-dev-bounces@xxxxxxxxxxxxx>
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx
<mailto:wireshark-dev-bounces@xxxxxxxxxxxxx>] *On Behalf Of *Tom Stevens
*Sent:* Wednesday, August 27, 2008 2:24 PM
*To:* wireshark-dev@xxxxxxxxxxxxx <mailto:wireshark-dev@xxxxxxxxxxxxx>
*Subject:* [Wireshark-dev] heuristic Dissector vs. normal dissector
Hi!
What are the differences between a heuristic dissector and a normal
dissector. So far i have not considered heuristic dissectors,
because I did not know what they are and how to use them.
Maybe you can help!
Thanks in advance Tom (Germany)
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx <mailto:Wireshark-dev@xxxxxxxxxxxxx>
https://wireshark.org/mailman/listinfo/wireshark-dev
------------------------------------------------------------------------
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev