Thank you very much for your great explanation. Something i had known before, but thanks anyway. Particularly the Point " How do these heuristics work?" and your given example should be very useful for anybody who wants to know how a heuristic dissector work.
My Problem is, that i have to write an heuristic dissector by my own. Hence,I need code snippets or something else, that will show me how to put my ideas (searching patterns) down on paper (C - source code ). For example, which lines of code do I need to explain wireshark to check these 4 conditions: 1) first byte must be 0x42 2) second byte is a type field and only can contain values between 0x20 - 0x33 3) third byte is a flag field, where the lower 4 bits always contain the value 0 4) fourth and fifth bytes contains a 16 length field, where the value can't be longer than 10000 bytes My Protocol should work independently from the underlying (i hope this is the right word) Protocol respectively port numbers. look at the picture to see what i mean: http://farm4.static.flickr.com/3185/2802328059_ed78644686_o.png Hope you could help me, greetings Tom (Germany) 2008/8/30 Maynard, Chris <[EMAIL PROTECTED]> > I think this information would best be placed in the doc/ directory, > either residing in its own README.heuristic file (with a mention of it > from README.developer) or residing directly in README.developer itself, > under its own section. Wherever it lives, I think it would also be very > useful to include a heuristic dissector code skeleton, just as the > README.developer does now in section 1.2 for normal dissectors. > > There may be general interest from the user's perspective, but I think > it's better to keep it simple. Section 9.4 [of Wireshark-1.0.2] user > guide does a pretty nice job already, I think, although some dissectors, > UDP & TCP for instance, have a preference for controlling whether > heuristic dissectors are tried first or not, so that might also be worth > mentioning in the user guide (or maybe it is and I just didn't see it). > > I don't know if that counts as a concrete idea or not, but it's my 2 > cents. (Of course with the exchange rate being so bad these days, it's > probably worth much less than that.) > > - Chris > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:wireshark-dev- > > [EMAIL PROTECTED] On Behalf Of Ulf Lamping > > Sent: Friday, August 29, 2008 5:50 PM > > To: Developer support list for Wireshark > > Subject: Re: [Wireshark-dev] heuristic Dissector for Dummies > > > > Peter Johansson schrieb: > > > Nicely put Ulf! This information is certainly a candidate for > addition > > > to the Wireshark Wiki. > > > > > > > Thanks! > > > > While writing it, I was having in mind to put it into the sources doc > > dir. As it turns out, this info might also be of general interest for > > the common WS user - so I'm not sure where's the best place to put it. > > > > Concrete ideas? > > > > Regards, ULFL > > CONFIDENTIALITY NOTICE: The contents of this email are confidential > and for the exclusive use of the intended recipient. If you receive this > email in error, please delete it from your system immediately and > notify us either by email, telephone or fax. You should not copy, > forward, or otherwise disclose the content of the email. > > _______________________________________________ > Wireshark-dev mailing list > [email protected] > https://wireshark.org/mailman/listinfo/wireshark-dev > >
_______________________________________________ Wireshark-dev mailing list [email protected] https://wireshark.org/mailman/listinfo/wireshark-dev
