Wireshark-dev: Re: [Wireshark-dev] display filtering + how to analyze some TCP packets
On Tue, Oct 25, 2011 at 6:37 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> What is it you're trying to do here?
This was just a personal design concern. The protocol I dissect is TLV
based. For each type, I had assigned a function pointer pointing
taking as argument a proto_item to which it could append_text.
(everything was proto_tree_add_text based). But as I wanted to setup
display filter, I understood my design was flawed.
Well I modified it and managed it to filter my display \o/
> If it's a predefined port for TCP, do the same sort of thing, but using "tcp.port" and the predefined TCP port number and handle for the dissector for your protocol when it runs over TCP.
In fact there is one predefined port for udp and tcp but they can be
changed to some arbitrary port.
> If it's not a predefined port, you'd have to, well, analyze the first bytes to know if it matches your protocol.
Right now I analyze the first 2 bytes to check if it's equal to 0x0002
but I am not sure it's the right check (protocol specs are
unavailable). If 2 dissectors match the bytes, what may happen ?
> That means making your dissector a heuristic dissector, which:
> returns a gboolean value - TRUE if it matches, FALSE if it doesn't;
> as its first action, before doing *anything* to the protocol tree or the columns, checks whether the first bytes look as if the packet is for your protocol or not;
Ok it works \o/ Once I recognize the packet matches my protocol,
shoulddissect_energywise_tcp_heur further analyze the packet or
immediately returns true and wireshark would give the packet to some
other dissector ?
Btw, I Had an assert DISSECTOR_ASSERT_NOT_REACHED(), hopefully I
looked at the code before asking you and the comment next to assert
was "/* This part is not implemented yet */". Is it not possible to do
a DISSECTOR_ASSERT_NOT_REACHED("This part is not implemented yet"). ?
Thanks to your advice I managed to achieve 2 things I really wanted
to. Next task is to create a conversation. I will try myself and may
go back to the list if I don't succed.
Once more thank you
Matt