This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can a heuristic dissector be applied to the entire TCP connection?

0

I have a TCP session consisting of multiple packets. When I select any one of them and say "Decode as..." for my dissector, the dissector is properly applied to all packets in the entire session.

I can write a heuristic detector for my dissector that will match only the first packet in the sequence. However, when I do this, only the first packet is decoded by my dissector, and the remaining packets don't get dissected. Is it possible to tell the heuristic to apply the same dissector to all packets in the same TCP session?

asked 23 May '13, 07:53

LouisDx's gravatar image

LouisDx
11336
accept rate: 0%

edited 23 May '13, 07:53

One Answer:

1

once your heuristic kicks in you can set up a conversation and define your dissector as the conversation dissector. See conversation.h for the API and search the sources for examples (packet-sip, maybe).

answered 23 May '13, 08:00

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

edited 23 May '13, 08:16

grahamb's gravatar image

grahamb ♦
19.8k330206

That sounds promising -- thanks!

(23 May '13, 08:06) LouisDx

It worked, perfect!

(23 May '13, 08:34) LouisDx