Hello, I am writing dissectors for several udp protocols that use header only packets for heartbeating that lack exact identifying values for heuristic dissection. However, in the non heartbeat packets there are identifying fields. Is there a way to have a dissector look at multiple packets (like 10) in a heuristic method before determining which protocol to use? Thanks in advance. asked 21 Dec '16, 08:12 william |
One Answer:
A dissectors job is to look at (part of) the packet currently at hand, which is sequential when first read from the capture file, then at random when packet details are required for presentation in the GUI, or when running analysis, etc. What you can do is use the other features of the dissection engine to support these needs. One that pops to mind is the use of conversations. There you define a flow of packets between two IP/port end points for UDP packets and associate a dissector to it then. That's how you have the dissector setup right dissector for these UDP packets. The same can be achieved manually through the use of the 'Decode as' feature, but automatic sounds better to me. See doc/README.dissector for some background on conversations. answered 21 Dec '16, 12:20 Jaap ♦ |
Thanks, I will take a look. We are trying to avoid the 'Decode as' feature. Are there any examples where an existing dissector decodes some bytes then looks at a conversation before deciding decoding type?
It's the other way around. The dissector heuristics decide if the current payload is his, then sets up a conversation based on the communication parameters so that any payload of packets matching these parameters are send there.