This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

help for writing heuristic dissector plugin

0

I intend to write a plugin using heuristic dissector.I am using eth heuristic dissector and my protocol relevant data will be part of ethernet payload and located at the end of ethernet payload.Now in dissect_myproto , the tree pointer will directly/autonomously point to my protocol relevant data when my dissector gets called or i will have to manipulate it to point to my protocol relevant data ?

asked 05 Jun '12, 09:36

yogeshg's gravatar image

yogeshg
41222326
accept rate: 0%


One Answer:

0

You need to read README.developer in the source tree.

As discussed on your very similar question, tvb is a pointer to the buffer containing the data from the packet that you will dissect, pinfo is a pointer to lots of other information about the packet and tree is a pointer to the proto tree where you put the results of your dissection.

answered 05 Jun '12, 12:49

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

ok,my mistake. In my question when i said "tree" , i meant tvb. All this confusion has arisen due to call_dissector ,actually my protocol relevant data lies at end of ethernet payload so i wondering do i have to use call_dissector for eth first and then do my dissection ?

(05 Jun '12, 16:01) yogeshg

let me explain myself more , earlier my protocol relevant data was coming first thing in ethernet payload and i was dissecting it followed by call to dissector for ip for eg. :-

ip_handle = find_dissector("ip");

call_dissector(ip_handle,....

But now my proto data is at the end of ethernet payload , so do i need to reverse this ? do i need to call_dissector for ip first and then do my dissection on my proto data ? .. Hope i made clear myself this time

(05 Jun '12, 16:49) yogeshg