I am a newbie trying to make a plugin , and in my case criteria for wireshark to call my dissector has to be that either source or destination mac will be in this format - "02 00 6f 0x 0y 01" where only x and y are positive integers and can vary. Do we have option to use regex sort of thing here ? Its very urgent , any help is appreciated. asked 29 May '12, 04:58 yogeshg |
One Answer:
The short answer: There's no "regex" option. However, you can register your dissector as an "eth" heuristic dissector which means your dissector will be called as a heuristic dissector before the frame body is dissected as ethernet. If the MAC address in the frame matches your requirements, you can do your own dissection and then return TRUE to prevent any further dissection. See epan/dissectors/packet-mim.c packet-tte.c is another dissector which registers as a heuristic "eth" dissector. answered 29 May '12, 07:18 Bill Meier ♦♦ Hi, I am using heuristic dissector now for mac relevant to my protocol , but that would mean tvb will point to eth payload isn't it ? instead i want to dissect http payload so i need tvb to point to http payload. How can i do that ? thanks for your time (05 Jun '12, 23:39) yogeshg |
Let me rephrase the question : I've noticed the function dissector_add() gets called to associate a particular identifier with a dissector handle. And i want it to associate it with packet having either source or destination mac is this format : "02:00:6f:0x:0y:01" . Here everything will remain fixed and only x and y can change.So i was wondering if we have regex option which can match it properly.Hope i am clear.Please help