First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

select a dissector by magic in header

Hi, I would like to select a dissector not only by a port number. I would like to select the dissector by data.data[0-4] = "magic" . For port I use dissector_add_uint. How I can do it for such an expression above ?

Clemens

clemens1509's avatar
3
clemens1509
asked 2021-02-01 13:45:23 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

1

Have you looked at README.heuristic ?
"A HD looks into the first few packet bytes and searches for common patterns that are specific to the protocol in question."

Chuckc's avatar
3k
Chuckc
answered 2021-02-01 16:12:44 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks heuristics works.

clemens1509's avatar clemens1509 (2021-02-01 16:45:42 +0000) edit
more
  • delete

If an answer has solved your issue please accept it by clicking the checkmark icon to the left of it, this helps others who may have the same question.

grahamb's avatar grahamb (2021-02-02 08:48:11 +0000) edit
more
  • delete
add a comment see more comments
0

Answer in comments.

Chuckc's avatar
3k
Chuckc
answered 2021-02-01 19:59:57 +0000
edit flag offensive 0 remove flag delete link
more

Comments

@Chuckc: I don't know whether everybody's allowed to do this, but there's a "convert to answer" link below a comment, after the "edit" link, so at least some people can convert a comment to an answer; I did that with your comment. (It's a bit more work to move responses to your answer under the new answer - you have to convert those comments to answers and then convert them back to comments "under older answer".)

Guy Harris's avatar Guy Harris (2021-02-02 03:06:38 +0000) edit
more
  • delete

Thanks! Looks like the Karma level for that is 2000 - How does karma system work? which is good. Graham and Jaap are still training me. :-)

Chuckc's avatar Chuckc (2021-02-02 03:30:11 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer