[Wireshark-dev] Define dissector port
Hi, I would like that user of my dissector will define the port on which the protocol works on from the regular expression field for example myProtocol.port == 1000 Sharon ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Define dissector port
sharon lin wrote: > I would like that user of my dissector will define the port on which the > protocol works on from the regular expression field > > for example myProtocol.port == 1000 I don't see any regular expression there. The way dissectors that let the user define the port the protocol works on is by adding a protocol preference with the port number. See, for example, epan/dissectors/packet-actrace.c. You could specify that from the command line with "-o myProtocol.port:1000", or from the GUI in Edit -> Preferences. ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Define dissector port
Is there a way to get a dissector to run on all ports?
So far I have been explicitly adding it to a specific port e.g.
dissector_add("tcp.port",1234,handle);
TIA
Hal
P.S. Guy thanks for answering an earlier post I did not reply because I have
been ill, I just use 'foo' as the protocol name because I am experimenting
with wireshark.
From: Guy Harris <[EMAIL PROTECTED]>
Reply-To: Developer support list for Wireshark
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Define dissector port
Date: Sun, 14 Jan 2007 02:12:51 -0800
sharon lin wrote:
> I would like that user of my dissector will define the port on which the
> protocol works on from the regular expression field
>
> for example myProtocol.port == 1000
I don't see any regular expression there.
The way dissectors that let the user define the port the protocol works
on is by adding a protocol preference with the port number. See, for
example, epan/dissectors/packet-actrace.c.
You could specify that from the command line with "-o
myProtocol.port:1000", or from the GUI in Edit -> Preferences.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
_
Find sales, coupons, and free shipping, all in one place! MSN Shopping
Sales & Deals
http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Define dissector port
Hi
I don't think there is (if I am wrong, please someone tell me!). I am
currently working on allowing the user to force the selection of the
next dissector using display filters (initially for TCP and UDP), which
I think would do what you want. You would use the display filter
"tcp.port" for all traffic with the TCP port set. I plan to allow the
control of this from the GUI (probably extensions to the "Decode As..."
dialog) and from Lua (if I can work out how to write the API extensions.
It is an interesting exercise...
I should have something ready within the next few weeks, but it will be
a largish patch and I don't know when the core developers would have
time to consider it given the current hectic activity.
Cheers
Doug
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hal Lander
Sent: 15 January 2007 16:21
To: wireshark-dev@wireshark.org
Subject: Re: [Wireshark-dev] Define dissector port
Is there a way to get a dissector to run on all ports?
So far I have been explicitly adding it to a specific port e.g.
dissector_add("tcp.port",1234,handle);
TIA
Hal
P.S. Guy thanks for answering an earlier post I did not reply because I
have
been ill, I just use 'foo' as the protocol name because I am
experimenting
with wireshark.
>From: Guy Harris <[EMAIL PROTECTED]>
>Reply-To: Developer support list for Wireshark
>
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] Define dissector port
>Date: Sun, 14 Jan 2007 02:12:51 -0800
>
>sharon lin wrote:
>
> > I would like that user of my dissector will define the port on which
the
> > protocol works on from the regular expression field
> >
> > for example myProtocol.port == 1000
>
>I don't see any regular expression there.
>
>The way dissectors that let the user define the port the protocol works
>on is by adding a protocol preference with the port number. See, for
>example, epan/dissectors/packet-actrace.c.
>
>You could specify that from the command line with "-o
>myProtocol.port:1000", or from the GUI in Edit -> Preferences.
>___
>Wireshark-dev mailing list
>Wireshark-dev@wireshark.org
>http://www.wireshark.org/mailman/listinfo/wireshark-dev
_
Find sales, coupons, and free shipping, all in one place! MSN Shopping
Sales & Deals
http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639
This message should be regarded as confidential. If you have received this
email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy by
an authorised signatory. The contents of this email may relate to dealings
with other companies within the Detica Group plc group of companies.
Detica Limited is registered in England under No: 1337451.
Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Define dissector port
Hal Lander wrote: > Is there a way to get a dissector to run on all ports? A dissector that runs on all ports would have to be a heuristic dissector (otherwise, you wouldn't be able to dissect any TCP/UDP traffic except for traffic for your protocol). So the way you'd do that would be to have your dissector be able to look at a packet and determine whether it's a packet for your protocol or not, and use a check for that sort in your dissector. See doc/README.developer for information on how to make a heuristic dissector. The name of the heuristic dissector table for TCP is "tcp", and the table for UDP is "udp". ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Define dissector port
The word 'heuristic' only appears once in 'readme.developer', and although I have skimmed through the whole document I seem to have missed where it tells you how to make a dissector heuristic. Can you be more specific about where there is an example? Can plugins be heuristic dissectors? Once a dissector is heuristic will it just look on all ports? Hal >From: Guy Harris <[EMAIL PROTECTED]> >Reply-To: Developer support list for Wireshark > >To: Developer support list for Wireshark >Subject: Re: [Wireshark-dev] Define dissector port >Date: Mon, 15 Jan 2007 10:37:39 -0800 > >Hal Lander wrote: > > Is there a way to get a dissector to run on all ports? > >A dissector that runs on all ports would have to be a heuristic >dissector (otherwise, you wouldn't be able to dissect any TCP/UDP >traffic except for traffic for your protocol). > >So the way you'd do that would be to have your dissector be able to look >at a packet and determine whether it's a packet for your protocol or >not, and use a check for that sort in your dissector. See >doc/README.developer for information on how to make a heuristic >dissector. The name of the heuristic dissector table for TCP is "tcp", >and the table for UDP is "udp". >___ >Wireshark-dev mailing list >Wireshark-dev@wireshark.org >http://www.wireshark.org/mailman/listinfo/wireshark-dev _ Your Hotmail address already works to sign into Windows Live Messenger! Get it now http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=http://get.live.com/messenger/overview ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Define dissector port
Add
heur_dissector_add("udp", dissect_fring, proto_fring);
heur_dissector_add("tcp", dissect_fring, proto_fring);
On 1/16/07, Hal Lander <[EMAIL PROTECTED]> wrote:
The word 'heuristic' only appears once in 'readme.developer', and although
I
have skimmed through the whole document I seem to have missed where it
tells
you how to make a dissector heuristic.
Can you be more specific about where there is an example?
Can plugins be heuristic dissectors?
Once a dissector is heuristic will it just look on all ports?
Hal
>From: Guy Harris <[EMAIL PROTECTED]>
>Reply-To: Developer support list for Wireshark
>
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] Define dissector port
>Date: Mon, 15 Jan 2007 10:37:39 -0800
>
>Hal Lander wrote:
> > Is there a way to get a dissector to run on all ports?
>
>A dissector that runs on all ports would have to be a heuristic
>dissector (otherwise, you wouldn't be able to dissect any TCP/UDP
>traffic except for traffic for your protocol).
>
>So the way you'd do that would be to have your dissector be able to look
>at a packet and determine whether it's a packet for your protocol or
>not, and use a check for that sort in your dissector. See
>doc/README.developer for information on how to make a heuristic
>dissector. The name of the heuristic dissector table for TCP is "tcp",
>and the table for UDP is "udp".
>___
>Wireshark-dev mailing list
>Wireshark-dev@wireshark.org
>http://www.wireshark.org/mailman/listinfo/wireshark-dev
_
Your Hotmail address already works to sign into Windows Live Messenger!
Get
it now
http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=http://get.live.com/messenger/overview
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Define dissector port
I am still struggling with this.
Is there any documentation on heur_dissector_add and where/how to call it?
Also I presume from Guy's posting I have to add my protocol into some
tables?
Hal
>From: "sharon lin" <[EMAIL PROTECTED]>
>Reply-To: Developer support list for Wireshark
>
>To: "Developer support list for Wireshark"
>Subject: Re: [Wireshark-dev] Define dissector port
>Date: Tue, 16 Jan 2007 17:51:11 +0200
>
>Add
>heur_dissector_add("udp", dissect_fring, proto_fring);
> heur_dissector_add("tcp", dissect_fring, proto_fring);
>
>On 1/16/07, Hal Lander <[EMAIL PROTECTED]> wrote:
>>
>>The word 'heuristic' only appears once in 'readme.developer', and although
>>I
>>have skimmed through the whole document I seem to have missed where it
>>tells
>>you how to make a dissector heuristic.
>>
>>Can you be more specific about where there is an example?
>>Can plugins be heuristic dissectors?
>>
>>Once a dissector is heuristic will it just look on all ports?
>>
>>Hal
>>
>>
>>
>> >From: Guy Harris <[EMAIL PROTECTED]>
>> >Reply-To: Developer support list for Wireshark
>> >
>> >To: Developer support list for Wireshark
>> >Subject: Re: [Wireshark-dev] Define dissector port
>> >Date: Mon, 15 Jan 2007 10:37:39 -0800
>> >
>> >Hal Lander wrote:
>> > > Is there a way to get a dissector to run on all ports?
>> >
>> >A dissector that runs on all ports would have to be a heuristic
>> >dissector (otherwise, you wouldn't be able to dissect any TCP/UDP
>> >traffic except for traffic for your protocol).
>> >
>> >So the way you'd do that would be to have your dissector be able to look
>> >at a packet and determine whether it's a packet for your protocol or
>> >not, and use a check for that sort in your dissector. See
>> >doc/README.developer for information on how to make a heuristic
>> >dissector. The name of the heuristic dissector table for TCP is "tcp",
>> >and the table for UDP is "udp".
>> >___
>> >Wireshark-dev mailing list
>> >Wireshark-dev@wireshark.org
>> >http://www.wireshark.org/mailman/listinfo/wireshark-dev
>>
>>_
>>Your Hotmail address already works to sign into Windows Live Messenger!
>>Get
>>it now
>>
>>http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=http://get.live.com/messenger/overview
>>
>>___
>>Wireshark-dev mailing list
>>Wireshark-dev@wireshark.org
>>http://www.wireshark.org/mailman/listinfo/wireshark-dev
>>
>___
>Wireshark-dev mailing list
>Wireshark-dev@wireshark.org
>http://www.wireshark.org/mailman/listinfo/wireshark-dev
_
Fixing up the home? Live Search can help
http://imagine-windowslive.com/search/kits/default.aspx?kit=improve&locale=en-US&source=hmemailtaglinenov06&FORM=WLMTAG
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Define dissector port
Hi,
Have a look in epan/packet.h and search for "heur".
Thanx,
Jaap
On Tue, 16 Jan 2007, Hal Lander wrote:
> I am still struggling with this.
> Is there any documentation on heur_dissector_add and where/how to call it?
>
> Also I presume from Guy's posting I have to add my protocol into some
> tables?
>
> Hal
>
> >From: "sharon lin" <[EMAIL PROTECTED]>
> >Reply-To: Developer support list for Wireshark
> >
> >To: "Developer support list for Wireshark"
> >Subject: Re: [Wireshark-dev] Define dissector port
> >Date: Tue, 16 Jan 2007 17:51:11 +0200
> >
> >Add
> >heur_dissector_add("udp", dissect_fring, proto_fring);
> > heur_dissector_add("tcp", dissect_fring, proto_fring);
> >
> >On 1/16/07, Hal Lander <[EMAIL PROTECTED]> wrote:
> >>
> >>The word 'heuristic' only appears once in 'readme.developer', and although
> >>I
> >>have skimmed through the whole document I seem to have missed where it
> >>tells
> >>you how to make a dissector heuristic.
> >>
> >>Can you be more specific about where there is an example?
> >>Can plugins be heuristic dissectors?
> >>
> >>Once a dissector is heuristic will it just look on all ports?
> >>
> >>Hal
> >>
> >>
> >>
> >> >From: Guy Harris <[EMAIL PROTECTED]>
> >> >Reply-To: Developer support list for Wireshark
> >> >
> >> >To: Developer support list for Wireshark
> >> >Subject: Re: [Wireshark-dev] Define dissector port
> >> >Date: Mon, 15 Jan 2007 10:37:39 -0800
> >> >
> >> >Hal Lander wrote:
> >> > > Is there a way to get a dissector to run on all ports?
> >> >
> >> >A dissector that runs on all ports would have to be a heuristic
> >> >dissector (otherwise, you wouldn't be able to dissect any TCP/UDP
> >> >traffic except for traffic for your protocol).
> >> >
> >> >So the way you'd do that would be to have your dissector be able to look
> >> >at a packet and determine whether it's a packet for your protocol or
> >> >not, and use a check for that sort in your dissector. See
> >> >doc/README.developer for information on how to make a heuristic
> >> >dissector. The name of the heuristic dissector table for TCP is "tcp",
> >> >and the table for UDP is "udp".
>
>
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Define dissector port
Thanks Jaap,
I used heur_dissector_add for the parent protocol "tcp" and things seem to
be working.
I would like to understand a bit more about what is going on though.
There is a function
/* Find a dissector table by table name. */
extern dissector_table_t find_dissector_table(const char *name);
So after I have added my heuristic dissector I should be able to call
tbl=find_dissector_table("tcp");
and see my dissector?
Does anybody have a code snippit to show how to loop the table and see the
dissectors?
Where is the table structure defined?
Most importantantly what determines the order in which the heuristic
dissectors are called, and how can I make sure mine is called first?
TIA
Hal
/** Add a sub-dissector to a heuristic dissector list.
* Call this in the proto_handoff function of the sub-dissector.
*
* @param name the name of the "parent" protocol, e.g. "tcp"
* @param dissector the sub-dissector to be registered
* @param proto the protocol id of the sub-dissector
*/
extern void heur_dissector_add(const char *name, heur_dissector_t dissector,
int proto);
>From: Jaap Keuter <[EMAIL PROTECTED]>
>Reply-To: Developer support list for Wireshark
>
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] Define dissector port
>Date: Tue, 16 Jan 2007 20:39:19 +0100 (CET)
>
>Hi,
>
>Have a look in epan/packet.h and search for "heur".
>
>Thanx,
>Jaap
>
>On Tue, 16 Jan 2007, Hal Lander wrote:
>
> > I am still struggling with this.
> > Is there any documentation on heur_dissector_add and where/how to call
>it?
> >
> > Also I presume from Guy's posting I have to add my protocol into some
> > tables?
> >
> > Hal
> >
> > >From: "sharon lin" <[EMAIL PROTECTED]>
> > >Reply-To: Developer support list for Wireshark
> > >
> > >To: "Developer support list for Wireshark"
>
> > >Subject: Re: [Wireshark-dev] Define dissector port
> > >Date: Tue, 16 Jan 2007 17:51:11 +0200
> > >
> > >Add
> > >heur_dissector_add("udp", dissect_fring, proto_fring);
> > > heur_dissector_add("tcp", dissect_fring, proto_fring);
> > >
> > >On 1/16/07, Hal Lander <[EMAIL PROTECTED]> wrote:
> > >>
> > >>The word 'heuristic' only appears once in 'readme.developer', and
>although
> > >>I
> > >>have skimmed through the whole document I seem to have missed where it
> > >>tells
> > >>you how to make a dissector heuristic.
> > >>
> > >>Can you be more specific about where there is an example?
> > >>Can plugins be heuristic dissectors?
> > >>
> > >>Once a dissector is heuristic will it just look on all ports?
> > >>
> > >>Hal
> > >>
> > >>
> > >>
> > >> >From: Guy Harris <[EMAIL PROTECTED]>
> > >> >Reply-To: Developer support list for Wireshark
> > >> >
> > >> >To: Developer support list for Wireshark
>
> > >> >Subject: Re: [Wireshark-dev] Define dissector port
> > >> >Date: Mon, 15 Jan 2007 10:37:39 -0800
> > >> >
> > >> >Hal Lander wrote:
> > >> > > Is there a way to get a dissector to run on all ports?
> > >> >
> > >> >A dissector that runs on all ports would have to be a heuristic
> > >> >dissector (otherwise, you wouldn't be able to dissect any TCP/UDP
> > >> >traffic except for traffic for your protocol).
> > >> >
> > >> >So the way you'd do that would be to have your dissector be able to
>look
> > >> >at a packet and determine whether it's a packet for your protocol or
> > >> >not, and use a check for that sort in your dissector. See
> > >> >doc/README.developer for information on how to make a heuristic
> > >> >dissector. The name of the heuristic dissector table for TCP is
>"tcp",
> > >> >and the table for UDP is "udp".
> >
> >
>
>___
>Wireshark-dev mailing list
>Wireshark-dev@wireshark.org
>http://www.wireshark.org/mailman/listinfo/wireshark-dev
_
The MSN Entertainment Guide to Golden Globes is here. Get all the scoop.
http://tv.msn.com/tv/globes2007/?icid=nctagline2
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Define dissector port
Hal Lander wrote:
> There is a function
> /* Find a dissector table by table name. */
> extern dissector_table_t find_dissector_table(const char *name);
>
> So after I have added my heuristic dissector I should be able to call
> tbl=find_dissector_table("tcp");
>
> and see my dissector?
No, because that's the table for dissectors registered with particular
TCP port numbers. The call to get the table for heuristic dissectors is
tbl = find_heur_dissector_list("tcp");
> Does anybody have a code snippit to show how to loop the table and see the
> dissectors?
No, because there is currently no way to do that.
> Where is the table structure defined?
Internally to epan/packet.c; it's opaque to dissectors. That is by
design and intent.
Dissectors should not need to loop the table and see the dissectors;
dissectors should be written in such a way as to be completely
independent of the contents of a heuristic dissector table in which
they're registered.
> Most importantantly what determines the order in which the heuristic
> dissectors are called,
The order in which the dissectors are added to that table.
> and how can I make sure mine is called first?
We do not offer any mechanism to control the order in which dissectors
are added to the table; this is by design and intent. If another
dissector happens to be before your dissector in the table, and happens
to claim a packet that's a packet for your protocol, that means that
it's claiming a packet that's not a packet for its protocol, which means
its heuristics are too weak and it needs to be fixed.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Define dissector port
Hi,
Lets see how it works. From packet.c:
heur_dissector_add()
{
sub_dissectors = find_heur_dissector_list(name);
*sub_dissectors = g_slist_append(*sub_dissectors, (gpointer)dtbl_entry);
}
Where name is "tcp" and dtbl_entry is your protocols dissector information.
When the TCP dissector is ready to search for subdissectors it calls:
dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree))
which loops over the registered dissectors calling them one by one until
one returns TRUE.
for (entry = sub_dissectors; entry != NULL; entry = g_slist_next(entry)) {
if ((*dtbl_entry->dissector)(tvb, pinfo, tree)) {
status = TRUE;
break;
}
}
So it comes down to the order in which the dissectors are added to the
heurstic sub dissector list, which in turn depends on the order in which
they are registered with register_all_protocols(). This function is
generated by means of a make-dissector-reg script which takes the order
from the symbol DISSECTOR_SRC.
So, depending on where you've added your dissector in the list determines
the order in which the heuristic dissectors are called.
The question is, should the order of dissectors matter? The design
says No.
It says that because it has the point of view that the heuristics in the
dissector should be smart enough to figure out if the payload handed over
to it is actually the protocol it dissects. So, the point of improvement
is in the heuristics, either yours or from other dissectors.
A work around with the current release is just simply to disable the
dissector of the protocols you're not interested in. This largely improves
the experience with current heuristic dissectors.
Thanx,
Jaap
On Sun, 21 Jan 2007, Hal Lander wrote:
> Thanks Jaap,
>
> I used heur_dissector_add for the parent protocol "tcp" and things seem to
> be working.
> I would like to understand a bit more about what is going on though.
>
> There is a function
> /* Find a dissector table by table name. */
> extern dissector_table_t find_dissector_table(const char *name);
>
> So after I have added my heuristic dissector I should be able to call
> tbl=find_dissector_table("tcp");
>
> and see my dissector?
>
> Does anybody have a code snippit to show how to loop the table and see the
> dissectors?
> Where is the table structure defined?
>
> Most importantantly what determines the order in which the heuristic
> dissectors are called, and how can I make sure mine is called first?
>
> TIA
> Hal
>
> /** Add a sub-dissector to a heuristic dissector list.
> * Call this in the proto_handoff function of the sub-dissector.
> *
> * @param name the name of the "parent" protocol, e.g. "tcp"
> * @param dissector the sub-dissector to be registered
> * @param proto the protocol id of the sub-dissector
> */
> extern void heur_dissector_add(const char *name, heur_dissector_t dissector,
> int proto);
>
>
>
> >From: Jaap Keuter <[EMAIL PROTECTED]>
> >Reply-To: Developer support list for Wireshark
> >
> >To: Developer support list for Wireshark
> >Subject: Re: [Wireshark-dev] Define dissector port
> >Date: Tue, 16 Jan 2007 20:39:19 +0100 (CET)
> >
> >Hi,
> >
> >Have a look in epan/packet.h and search for "heur".
> >
> >Thanx,
> >Jaap
> >
> >On Tue, 16 Jan 2007, Hal Lander wrote:
> >
> > > I am still struggling with this.
> > > Is there any documentation on heur_dissector_add and where/how to call
> >it?
> > >
> > > Also I presume from Guy's posting I have to add my protocol into some
> > > tables?
> > >
> > > Hal
> > >
> > > >From: "sharon lin" <[EMAIL PROTECTED]>
> > > >Reply-To: Developer support list for Wireshark
> > > >
> > > >To: "Developer support list for Wireshark"
> >
> > > >Subject: Re: [Wireshark-dev] Define dissector port
> > > >Date: Tue, 16 Jan 2007 17:51:11 +0200
> > > >
> > > >Add
> > > >heur_dissector_add("udp", dissect_fring, proto_fring);
> > > > heur_dissector_add("tcp", dissect_fring, proto_fring);
> > > >
> > > >On 1/16/07, Hal Lander <[EMAIL PROTECTED]> wrote:
> > > >>
> > > >>The word 'heuristic' only appears once in 'readme.developer', and
> >although
> > > >>I
> > > >>have skimmed through the whole document I seem to have missed where it
> > > >>tells
> > > >>you how to make a dissector heuristic.
> > > >>
> &
Re: [Wireshark-dev] Define dissector port
Guy,
Very helful, I can see what is supposed to happen now.
The reason I wanted to loop through the dissectors was just to check I had
managed to add mine, but I understand why that is not possible.
I am not so sure about not being able to define the order the heuristic
dissectors are called in because I don't feel able to beef-up a somebody
elses dissector that is wrongly grabbing packets, Jaap has mentioned
deleting problem dissectors and I'll pick up in his post.
Thanks
Hal
>From: Guy Harris <[EMAIL PROTECTED]>
>Reply-To: Developer support list for Wireshark
>
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] Define dissector port
>Date: Sun, 21 Jan 2007 10:04:53 -0800
>
>Hal Lander wrote:
>
> > There is a function
> > /* Find a dissector table by table name. */
> > extern dissector_table_t find_dissector_table(const char *name);
> >
> > So after I have added my heuristic dissector I should be able to call
> > tbl=find_dissector_table("tcp");
> >
> > and see my dissector?
>
>No, because that's the table for dissectors registered with particular
>TCP port numbers. The call to get the table for heuristic dissectors is
>
> tbl = find_heur_dissector_list("tcp");
>
> > Does anybody have a code snippit to show how to loop the table and see
>the
> > dissectors?
>
>No, because there is currently no way to do that.
>
> > Where is the table structure defined?
>
>Internally to epan/packet.c; it's opaque to dissectors. That is by
>design and intent.
>
>Dissectors should not need to loop the table and see the dissectors;
>dissectors should be written in such a way as to be completely
>independent of the contents of a heuristic dissector table in which
>they're registered.
>
> > Most importantantly what determines the order in which the heuristic
> > dissectors are called,
>
>The order in which the dissectors are added to that table.
>
> > and how can I make sure mine is called first?
>
>We do not offer any mechanism to control the order in which dissectors
>are added to the table; this is by design and intent. If another
>dissector happens to be before your dissector in the table, and happens
>to claim a packet that's a packet for your protocol, that means that
>it's claiming a packet that's not a packet for its protocol, which means
>its heuristics are too weak and it needs to be fixed.
>___
>Wireshark-dev mailing list
>Wireshark-dev@wireshark.org
>http://www.wireshark.org/mailman/listinfo/wireshark-dev
_
Turn searches into helpful donations. Make your search count.
http://click4thecause.live.com/search/charity/default.aspx?source=hmemtagline_donation&FORM=WLMTAG
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Define dissector port
Jaap,
Thanks I can see what is intended now.
Hal
From: Jaap Keuter <[EMAIL PROTECTED]>
Reply-To: Developer support list for Wireshark
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Define dissector port
Date: Sun, 21 Jan 2007 19:29:51 +0100 (CET)
Hi,
Lets see how it works. From packet.c:
heur_dissector_add()
{
sub_dissectors = find_heur_dissector_list(name);
*sub_dissectors = g_slist_append(*sub_dissectors, (gpointer)dtbl_entry);
}
Where name is "tcp" and dtbl_entry is your protocols dissector information.
When the TCP dissector is ready to search for subdissectors it calls:
dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree))
which loops over the registered dissectors calling them one by one until
one returns TRUE.
for (entry = sub_dissectors; entry != NULL; entry = g_slist_next(entry)) {
if ((*dtbl_entry->dissector)(tvb, pinfo, tree)) {
status = TRUE;
break;
}
}
So it comes down to the order in which the dissectors are added to the
heurstic sub dissector list, which in turn depends on the order in which
they are registered with register_all_protocols(). This function is
generated by means of a make-dissector-reg script which takes the order
from the symbol DISSECTOR_SRC.
So, depending on where you've added your dissector in the list determines
the order in which the heuristic dissectors are called.
The question is, should the order of dissectors matter? The design
says No.
It says that because it has the point of view that the heuristics in the
dissector should be smart enough to figure out if the payload handed over
to it is actually the protocol it dissects. So, the point of improvement
is in the heuristics, either yours or from other dissectors.
A work around with the current release is just simply to disable the
dissector of the protocols you're not interested in. This largely improves
the experience with current heuristic dissectors.
Thanx,
Jaap
On Sun, 21 Jan 2007, Hal Lander wrote:
> Thanks Jaap,
>
> I used heur_dissector_add for the parent protocol "tcp" and things seem
to
> be working.
> I would like to understand a bit more about what is going on though.
>
> There is a function
> /* Find a dissector table by table name. */
> extern dissector_table_t find_dissector_table(const char *name);
>
> So after I have added my heuristic dissector I should be able to call
> tbl=find_dissector_table("tcp");
>
> and see my dissector?
>
> Does anybody have a code snippit to show how to loop the table and see
the
> dissectors?
> Where is the table structure defined?
>
> Most importantantly what determines the order in which the heuristic
> dissectors are called, and how can I make sure mine is called first?
>
> TIA
> Hal
>
> /** Add a sub-dissector to a heuristic dissector list.
> * Call this in the proto_handoff function of the sub-dissector.
> *
> * @param name the name of the "parent" protocol, e.g. "tcp"
> * @param dissector the sub-dissector to be registered
> * @param proto the protocol id of the sub-dissector
> */
> extern void heur_dissector_add(const char *name, heur_dissector_t
dissector,
> int proto);
>
>
>
> >From: Jaap Keuter <[EMAIL PROTECTED]>
> >Reply-To: Developer support list for Wireshark
> >
> >To: Developer support list for Wireshark
> >Subject: Re: [Wireshark-dev] Define dissector port
> >Date: Tue, 16 Jan 2007 20:39:19 +0100 (CET)
> >
> >Hi,
> >
> >Have a look in epan/packet.h and search for "heur".
> >
> >Thanx,
> >Jaap
> >
> >On Tue, 16 Jan 2007, Hal Lander wrote:
> >
> > > I am still struggling with this.
> > > Is there any documentation on heur_dissector_add and where/how to
call
> >it?
> > >
> > > Also I presume from Guy's posting I have to add my protocol into
some
> > > tables?
> > >
> > > Hal
> > >
> > > >From: "sharon lin" <[EMAIL PROTECTED]>
> > > >Reply-To: Developer support list for Wireshark
> > > >
> > > >To: "Developer support list for Wireshark"
> >
> > > >Subject: Re: [Wireshark-dev] Define dissector port
> > > >Date: Tue, 16 Jan 2007 17:51:11 +0200
> > > >
> > > >Add
> > > >heur_dissector_add("udp", dissect_fring, proto_fring);
> > > > heur_dissector_add("tcp", dissect_fring, proto_fring);
> > > >
> > > >On 1/16/07, Hal Lander <[EMAIL PROTECTED]> wrote:
> > > >>
> > > >>The word 'heuristic' only appears once in '
