This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why does my heuristic dissector leave “Data” on the tree?

0

I have a heuristic dissector which works perfectly, but the tree still contains a "data" field which contains the same number of bytes as the dissector decoded. The tree appears as:

IP
TCP
<my protocol>
Data <x bytes>

Is there a way to remove or block that Data leaf from binding to the tree?

asked 21 Feb '12, 11:56

Clifford%20Haas's gravatar image

Clifford Haas
0222
accept rate: 0%

edited 21 Feb '12, 14:10

multipleinterfaces's gravatar image

multipleinte...
1.3k152340

One Answer:

2

Make sure to return TRUE from your heuristic dissector.

answered 21 Feb '12, 12:20

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

I have verified that the dissector does return TRUE. I even placed a "return (TRUE)" near the top of the dissector, right after I change the column info. This still left DATA on the tree. 8-(

(24 Feb '12, 06:34) Clifford Haas

Is it possible that using tcp_dissect_pdus to reassemble is conflicting with pure TCP heuristic?

(24 Feb '12, 07:08) Clifford Haas