This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I am writing dissectors for several udp protocols that use header only packets for heartbeating that lack exact identifying values for heuristic dissection. However, in the non heartbeat packets there are identifying fields. Is there a way to have a dissector look at multiple packets (like 10) in a heuristic method before determining which protocol to use?

Thanks in advance.

asked 21 Dec '16, 08:12

william's gravatar image

william
5335
accept rate: 0%


A dissectors job is to look at (part of) the packet currently at hand, which is sequential when first read from the capture file, then at random when packet details are required for presentation in the GUI, or when running analysis, etc.

What you can do is use the other features of the dissection engine to support these needs. One that pops to mind is the use of conversations. There you define a flow of packets between two IP/port end points for UDP packets and associate a dissector to it then. That's how you have the dissector setup right dissector for these UDP packets. The same can be achieved manually through the use of the 'Decode as' feature, but automatic sounds better to me. See doc/README.dissector for some background on conversations.

permanent link

answered 21 Dec '16, 12:20

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks, I will take a look. We are trying to avoid the 'Decode as' feature. Are there any examples where an existing dissector decodes some bytes then looks at a conversation before deciding decoding type?

(21 Dec '16, 12:46) william

It's the other way around. The dissector heuristics decide if the current payload is his, then sets up a conversation based on the communication parameters so that any payload of packets matching these parameters are send there.

(21 Dec '16, 14:51) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×431
×10

question asked: 21 Dec '16, 08:12

question was seen: 738 times

last updated: 21 Dec '16, 14:51

p​o​w​e​r​e​d by O​S​Q​A