Wireshark will first[1] try giving a given packet to port-registered dissectors. If any of them accept the message, it's done. If none of them take the message (or there are no port-registered dissectors on that port), Wireshark will give the packet to each heuristic TCP dissector, one after the other, until one accepts the packet.
[1] TCP has a "try heuristic subdissectors first" option which makes it try the heuristic dissectors before the port-registered ones. Tom Stevens wrote: > Thanks for the information! > > But, without a Port number, how can wireshark find (identify) the > correct dissector for the incoming packets. What are specific criteria? > Maybe you can give me an example. I'm a bit slow on the uptake at the > moment. > > Greetings Tom (Germany) > > > > 2008/8/27 Kumar, Hemant <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > > Basically Heuristic Dissector means that your dissector will accept > all the Traffic Packets and will not segregate based on port number. > > So to identify your own custom dissector protocol messages you have > to separate out the packets based on certain criteria specific to your > > Protocol. > > And a normal dissector is registered with the Wireshark based on > port information which tells the Wireshark on which port your message is > > Going to be exchanges. > > > > I hope it clarifies. > > > > Hemant. > > > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > [mailto:[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>] *On Behalf Of *Tom Stevens > *Sent:* Wednesday, August 27, 2008 2:24 PM > *To:* [email protected] <mailto:[email protected]> > *Subject:* [Wireshark-dev] heuristic Dissector vs. normal dissector > > > > Hi! > > What are the differences between a heuristic dissector and a normal > dissector. So far i have not considered heuristic dissectors, > because I did not know what they are and how to use them. > Maybe you can help! > > Thanks in advance Tom (Germany) > > > _______________________________________________ > Wireshark-dev mailing list > [email protected] <mailto:[email protected]> > https://wireshark.org/mailman/listinfo/wireshark-dev > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Wireshark-dev mailing list > [email protected] > https://wireshark.org/mailman/listinfo/wireshark-dev _______________________________________________ Wireshark-dev mailing list [email protected] https://wireshark.org/mailman/listinfo/wireshark-dev
