From 04c39bb0972bac1f95eb9394b5ca1086f19c0d93 Mon Sep 17 00:00:00 2001 From: Hadriel Kaplan Date: Mon, 10 Mar 2014 01:54:51 -0400 Subject: Add Lua heuristic dissector support This adds the ability for Lua scripts to register heuristic dissectors for any protocol that has registered a heuristic dissector list, such as UDP, TCP, and ~50 others. The Lua function can also establish a conversation tied to its Proto dissector, to avoid having to check the heuristics for the same flow. The example dissector in the testsuite has also been enhanced to include a heuristic dissector, to verify the functionality and provide an example implementation. Change-Id: Ie232602779f43d3418fe8db09c61d5fc0b59597a Reviewed-on: https://code.wireshark.org/review/576 Reviewed-by: Anders Broman --- doc/README.heuristic | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'doc') diff --git a/doc/README.heuristic b/doc/README.heuristic index 544a64d484..c2830a82c6 100644 --- a/doc/README.heuristic +++ b/doc/README.heuristic @@ -103,7 +103,7 @@ Heuristic Code Example ---------------------- You can find a lot of code examples in the Wireshark sources, e.g.: grep -l heur_dissector_add epan/dissectors/*.c -returns 132 files (Feb 2013). +returns 150 files (March 2014). For the above example criteria, the following code example might do the work (combine this with the dissector skeleton in README.developer): @@ -150,7 +150,10 @@ dissect_PROTOABBREV_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, vo /* Assume it's your packet ... */ - /* specify that dissect_PROTOABBREV is to be called directly from now on for packets for this "connection" ... */ + /* specify that dissect_PROTOABBREV is to be called directly from now on for packets for this "connection" ... + * but ONLY do this if your heuristic sits directly on top of UDP or TCP (ie, you did heur_dissector_add("tcp",...)), + * otherwise you'll be overriding the dissector that called your heuristic dissector. + */ conversation = find_or_create_conversation(pinfo); conversation_set_dissector(conversation, PROTOABBREV_handle); @@ -188,5 +191,4 @@ tendency to reuse known port numbers for new protocols. But TCP and UDP are not the only dissectors that provide support for HDs. You can find more examples by searching the Wireshark sources as follows: grep -l register_heur_dissector_list epan/dissectors/packet-*.c -returns 38 files (Feb 2013). - +returns 43 files (March 2014). -- cgit v1.2.3