Revision history [back]
Heuristic Dissector is never called
Hello! I was trying to write a dissector for a custom protocol. The supposed protocol has a specific sync word so I tried to make my dissector be port-agnostic that simply searches for the specified word in the beginning of the header.
Here's a sketch of the code:
static int
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *foo_proto_tree, void* data){
// build protocol tree...
}
static gboolean
frame_sync_test_foo(tvbuff_t *tvb)
{
if (tvb_strncaseeql(tvb, UDP_OFFSET, "FOOBAR", 6) == 0) {
return TRUE;
}
return FALSE;
}
static gboolean
dissect_foo_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
if ( !frame_sync_test_foo(tvb) ) {
return FALSE;
}
dissect_foo(tvb, pinfo, tree, data);
return TRUE;
}
void
proto_reg_handoff_foo(void)
{
static dissector_handle_t foo_handle;
foo_handle = create_dissector_handle(dissect_foo, proto_foo);
register_dissector("FOO", dissect_foo, proto_foo);
heur_dissector_add("udp", dissect_foo_heur, "FOO (UDP)", "foo_udp", proto_foo, HEURISTIC_ENABLE);
}
void proto_register_foo(void)
{
/* Setup protocol subtree array */
static gint *ett[] = {
&ett_foo,
&ett_foo_primary_hdr,
&ett_foo_secondary_hdr
};
// set-up header files...
proto_foo = proto_register_protocol("FOO", "FOOBAR", "foo");
proto_register_field_array(proto_foo, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
}
After compiling, my protocol is registered as expected (meaning that I can see my protocol in the list of available protocols and its hash table contains all the fields I set up), but I couldn't dissect any packet. I generated a few UDP packets and while I'd expect the UDP payload to be dissected according to my protocol (granted its first few bytes match the ones of the sync word), I don't get anything (note that I have the Try heuristic dissectors first option enabled).
Also what perplexes me even more, is the fact that dissect_foo_heur
is never called, which I don't find to be reasonable since the UDP payload doesn't match with any other dissector. That means that Wireshark doesn't ever consider checking my dissector when receiving a UDP packet.
Is there anything wrong with my code or am I misunderstanding something in the way that heuristic dissectors are supposed to work (sorry for the noob question :P)
Heuristic Dissector is never called
Hello! I was trying to write a dissector for a custom protocol. The supposed protocol has a specific sync word so I tried to make my dissector be port-agnostic that simply searches for the specified word in the beginning of the header.
Here's a sketch of the code:
static int
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *foo_proto_tree, *a3sat_proto_tree, void* data){
// build protocol tree...
}
static gboolean
frame_sync_test_foo(tvbuff_t *tvb)
{
if (tvb_strncaseeql(tvb, UDP_OFFSET, "FOOBAR", 6) == 0) {
return TRUE;
}
return FALSE;
}
static gboolean
dissect_foo_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
if ( !frame_sync_test_foo(tvb) ) {
return FALSE;
}
dissect_foo(tvb, pinfo, tree, data);
return TRUE;
}
void
proto_reg_handoff_foo(void)
{
static dissector_handle_t foo_handle;
foo_handle = create_dissector_handle(dissect_foo, proto_foo);
register_dissector("FOO", dissect_foo, proto_foo);
heur_dissector_add("udp", dissect_foo_heur, "FOO (UDP)", "foo_udp", proto_foo, HEURISTIC_ENABLE);
}
void proto_register_foo(void)
{
/* Setup protocol subtree array */
static gint *ett[] = {
&ett_foo,
&ett_foo_primary_hdr,
&ett_foo_secondary_hdr
};
// set-up header files...
proto_foo = proto_register_protocol("FOO", "FOOBAR", "foo");
proto_register_field_array(proto_foo, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
}
After compiling, my protocol is registered as expected (meaning that I can see my protocol in the list of available protocols and its hash table contains all the fields I set up), but I couldn't dissect any packet. I generated a few UDP packets and while I'd expect the UDP payload to be dissected according to my protocol (granted its first few bytes match the ones of the sync word), I don't get anything (note that I have the Try heuristic dissectors first option enabled).
Also what perplexes me even more, is the fact that dissect_foo_heur
is never called, which I don't find to be reasonable since the UDP payload doesn't match with any other dissector. That means that Wireshark doesn't ever consider checking my dissector when receiving a UDP packet.
Is there anything wrong with my code or am I misunderstanding something in the way that heuristic dissectors are supposed to work (sorry for the noob question :P)