This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Creating subdissector table for Heuristic Dissector

0

Hello,

So I'm developing a tool right now that creates dissectors based on xml input. I have it working so that all the dissectors created(40+ as of now) are added simply as heuristic dissectors. The way I want it to work is that I have one Heuristic Dissector that determines if it is one of these messages, and then try all the heuristic sub-dissectors in its table if it is.

I tried implementing this but couldn't find much documentation on it. What I have now crashes whenever it receives one of the messages I want it to dissect.

Heres where I register the subdissector list:

void
    proto_reg_handoff_srcmsg(void) {
    srcmsg_handle = new_create_dissector_handle(dissect_heur_srcmsg, proto_srcmsg);

/* register as a dissector for udp packets */
heur_dissector_add("udp", dissect_heur_srcmsg, proto_srcmsg);

register_heur_dissector_list("srcmsg", &sub_dissectors);



}

And here is where I call the subdissector, at the bottom of dissect_heur_srcmsg:

    dissector_try_heuristic(sub_dissectors, tvb, pinfo, tree, NULL, NULL);


return TRUE;



}

Here is where the other dissectors register as subdissectors:

void
proto_reg_handoff_srcmsg(void)
{
srcmsg_handle = new_create_dissector_handle(dissect_heur_srcmsg, proto_srcmsg);


heur_dissector_add("srcmsg", dissect_heur_srcmsg, proto_srcmsg);



}

The reason I want to do this is so I can filter for all these messages, in addition to filtering for them specifically. Please let me know if there is a simpler way to accomplish this (there probably is).

Also, when I open the Dissector Tables window and look at Heuristic Dissectors, my protocol shows up, but without any subdissectors registered to it. If anyone has any tips on what I should change, or a better approach, please let me know.

asked 01 Jul ‘15, 09:07

broccollirob's gravatar image

broccollirob
754411
accept rate: 0%

One Answer:

1

Move the line

register_heur_dissector_list("srcmsg", &sub_dissectors);

from proto_reg_handoff_srcmsg() to proto_register_srcmsg() function: the heuristic table must be created before the call to the various handoff functions.

answered 01 Jul '15, 10:59

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

Thank you, this helped a lot. Now the protocols are registering correctly, I can check the heuristic tables and see them all there.

I am, however, still crashing when I call dissector_try_heuristic(). I'm going to mess around with it for a bit, but if you any ideas about whats happening or why, let me know.

(01 Jul '15, 11:34) broccollirob
1

You cannot use a NULL pointer for the heur_dtbl_entry pointer. So your call should be:

dissector_try_heuristic(sub_dissectors, tvb, pinfo, tree, &hdtbl_entry, NULL);

PS: please consider accepting the answer, this will be useful for other users in case they perform a search on the same subject as yours.

(01 Jul '15, 12:03) Pascal Quantin

Perfect, that got it working

(01 Jul '15, 12:15) broccollirob