Re: [Wireshark-dev] [Wireshark-commits] master 04c39bb: Add Lua heuristic dissector support

2014-03-14 Thread Bill Meier 


Re;


  doc/README.heuristic  |   10 +--



+ * but ONLY do this if your heuristic sits directly on top of UDP
or TCP (ie, you did heur_dissector
+ * otherwise you'll be overriding the dissector that called your
heuristic dissector.


I think this is not correct. There is at least one transport protocol 
other than TCP  UDP (i.e., DCCP) which currently has a heuristic table 
and calls 'try_conversation()' and thus heuristic sub-dissectors can use 
conversation_set_dissector().


I think, in theory, any protocol associated with the known
'port_type's [1] can establish a conversation for that port_type and 
then have heuristic sub-dissectors which can call 
conversation_set_dissector().


In actuality, only a few dissectors currently do so.


How about the something like following wording:

... but only do this if your heuristic sits directly on top of
(was called by) a dissector which established a conversation
for the protocol port type. IOW: directly over TCP, UDP, ...


Looking at the Wireshark dissectors: I see at least one
possibly problematical case:

packet-soupbintcp has heuristic sub-dissectors and uses 
try_conversation() even though it actually uses (I think) the 
conversation established bu packet-tcp.


I thinks this means that if packet-tcp has try heuristic first that 
things won't work right.


I'll have to research this further.

Bill



[1]
/* Types of port numbers Wireshark knows about. */
typedef enum {
PT_NONE,/* no port number */
PT_SCTP,/* SCTP */
PT_TCP, /* TCP */
PT_UDP, /* UDP */
PT_DCCP,/* DCCP */
PT_IPX, /* IPX sockets */
PT_NCP, /* NCP connection */
PT_EXCHG,   /* Fibre Channel exchange */
PT_DDP, /* DDP AppleTalk connection */
PT_SBCCS,   /* FICON */
PT_IDP, /* XNS IDP sockets */
PT_TIPC,/* TIPC PORT */
PT_USB, /* USB endpoint 0x means the host */
PT_I2C,
PT_IBQP,/* Infiniband QP number */
PT_BLUETOOTH
} port_type;

___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] [Wireshark-commits] master 04c39bb: Add Lua heuristic dissector support

2014-03-14 Thread Hadriel Kaplan 

On Mar 14, 2014, at 5:06 PM, Bill Meier wme...@newsguy.com wrote:

 
 Re;
 
  doc/README.heuristic  |   10 +--
 
 
 + * but ONLY do this if your heuristic sits directly on top of UDP
or TCP (ie, you did heur_dissector
 + * otherwise you'll be overriding the dissector that called your
heuristic dissector.
 
 
 I think this is not correct. There is at least one transport protocol other 
 than TCP  UDP (i.e., DCCP) which currently has a heuristic table and calls 
 'try_conversation()' and thus heuristic sub-dissectors can use 
 conversation_set_dissector().

Right - sorry, I was being too specific.


 How about the something like following wording:
 
 ... but only do this if your heuristic sits directly on top of
(was called by) a dissector which established a conversation
for the protocol port type. IOW: directly over TCP, UDP, ...
 

Sounds good. I'll submit it shortly if no one objects.

-hadriel

___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe