On Sep 8, 2008, at 7:56 AM, Maynard, Chris wrote:
> I do have one more question/thought about heuristic dissectors as it
> pertains to TCP heuristic dissectors though. Should the
> README.heuristic examples be changed to make use of tcp_dissect_pdus()
> for TCP-based heuristic dissectors?
The protocol being dissected isn't specified completely enough to do
so - you'd have to specify whether the length field includes the
header or not.
With that specified, it might make sense to use tcp_dissect_pdus(), so
that we show how to write such a dissector (in particular, to show
that you *don't* call tcp_dissect_pdus() until you've figured out
whether the TCP segment is one of yours or not).
> In fact, should existing Wireshark
> dissectors that currently simply register as TCP heuristic
> dissectors be
> modified so they can take advantage of TCP reassembly? A quick grep
> of
> epan/dissectors/packet-*.c yields 41 such dissectors.
Yes, and so should existing Wireshark dissectors that register as TCP
*non*-heuristic dissectors.
Note that not all TCP dissectors can use tcp_dissect_pdus() to do
reassembly - only the ones where, for some value of N:
1) no PDU for the protocol is shorter than N bytes long
and
2) the length of a PDU can be determined by looking at the first N
bytes.
_______________________________________________
Wireshark-dev mailing list
[email protected]
https://wireshark.org/mailman/listinfo/wireshark-dev
