This is a static archive of our old Q&A Site. Please post any new questions and answers at

help for writing heuristic dissector plugin


I intend to write a plugin using heuristic dissector.I am using eth heuristic dissector and my protocol relevant data will be part of ethernet payload and located at the end of ethernet payload.Now in dissect_myproto , the tree pointer will directly/autonomously point to my protocol relevant data when my dissector gets called or i will have to manipulate it to point to my protocol relevant data ?

asked 05 Jun '12, 09:36

yogeshg's gravatar image

accept rate: 0%

One Answer:


You need to read README.developer in the source tree.

As discussed on your very similar question, tvb is a pointer to the buffer containing the data from the packet that you will dissect, pinfo is a pointer to lots of other information about the packet and tree is a pointer to the proto tree where you put the results of your dissection.

answered 05 Jun '12, 12:49

grahamb's gravatar image

grahamb ♦
accept rate: 22%

ok,my mistake. In my question when i said "tree" , i meant tvb. All this confusion has arisen due to call_dissector ,actually my protocol relevant data lies at end of ethernet payload so i wondering do i have to use call_dissector for eth first and then do my dissection ?

(05 Jun '12, 16:01) yogeshg

let me explain myself more , earlier my protocol relevant data was coming first thing in ethernet payload and i was dissecting it followed by call to dissector for ip for eg. :-

ip_handle = find_dissector("ip");


But now my proto data is at the end of ethernet payload , so do i need to reverse this ? do i need to call_dissector for ip first and then do my dissection on my proto data ? .. Hope i made clear myself this time

(05 Jun '12, 16:49) yogeshg