This is a static archive of our old Q&A Site. Please post any new questions and answers at

Wireshark’s protocol classification technique (new developer question)


I working with a small team to develop a wireshark plugin for a new protocol.

The protocol has no header, so it is difficult (impossible maybe) to identify weather or not a packet contains this protocol.

Also the protocol is state dependent, so it is important our plugin not receive packets containing other protocols.

Currently our plugin works by assuming everything on a given UDP port is our protocol.

Is there some way to identify other protocols sent on our port, or at least tell wireshark to check all other protocols first before handing packets off to our plugin?

Thanks much for your help!

asked 26 Jan '11, 14:08

drjohnso's gravatar image

accept rate: 0%

One Answer:


The best you can do is enable the UDP preference: "Try heuristic sub-dissectors first".

answered 26 Jan '11, 14:21

Jaap's gravatar image

Jaap ♦
accept rate: 14%

Thanks for your help.

I am guessing that "Try heuristic sub-dissectors first" will do something like I stated "tell wireshark to check all other protocols first before handing packets off to our plugin"

Am I right? Do you know where I could find any documentation on this?

(26 Jan '11, 14:55) drjohnso

There are two types of dissectors for UDP-based protocols - dissectors called for specific port numbers, and dissectors called for all packets that can accept or reject a packet. The latter are called "heuristic" dissectors; "Try heuristic sub-dissectors first" means those will be called before dissectors for specific port numbers are called.

(26 Jan '11, 19:28) Guy Harris ♦♦