gmane.network.wireshark.devel

Tom Stevens | 27 Aug 23:20

heuristic Dissector vs. normal dissector

Hi!

What are the differences between a heuristic dissector and a normal dissector. So far i have not considered heuristic dissectors, because I did not know what they are and how to use them.
Maybe you can help!

Thanks in advance Tom (Germany)

<div><div dir="ltr">Hi!<br><br>What are the differences between a heuristic dissector and a normal dissector. So far i have not considered heuristic dissectors, because I did not know what they are and how to use them.<br>Maybe you can help!<br><br>Thanks in advance Tom (Germany)<br>
</div></div>

headers

Kumar, Hemant | 27 Aug 23:30

Re: heuristic Dissector vs. normal dissector

Basically Heuristic Dissector means that your dissector will accept all the Traffic Packets and will not segregate based on port number.

So to identify your own custom dissector protocol messages you have to separate out the packets based on certain criteria specific to your

Protocol.

And a normal dissector is registered with the Wireshark based on port information which tells the Wireshark on which port your message is

Going to be exchanges.

I hope it clarifies.

Hemant.

From: wireshark-dev-bounces-IZ8446WsY0/dtAWm4Da02A@public.gmane.org [mailto:wireshark-dev-bounces-IZ8446WsY0/dtAWm4Da02A@public.gmane.org] On Behalf Of Tom Stevens
Sent: Wednesday, August 27, 2008 2:24 PM
To: wireshark-dev <at> wireshark.org
Subject: [Wireshark-dev] heuristic Dissector vs. normal dissector

<div>

<div class="Section1">

<p class="MsoNormal"><span>Basically Heuristic Dissector means that
your dissector will accept all the Traffic Packets and will not segregate based
on port number.<p></p></span></p>

<p class="MsoNormal"><span>So to identify your own custom dissector
protocol messages you have to separate out the packets based on certain criteria
specific to your <p></p></span></p>

<p class="MsoNormal"><span>Protocol.<p></p></span></p>

<p class="MsoNormal"><span>And a normal dissector is registered with
the Wireshark &nbsp;based on port information which tells the Wireshark on which
port your message is<p></p></span></p>

<p class="MsoNormal"><span>Going to be exchanges.<p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>I hope it clarifies.<p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>Hemant.<p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<div>

<div class="MsoNormal" align="center"><span>

</span></div>

<p class="MsoNormal"><span>From:</span><span>
wireshark-dev-bounces@...
[mailto:wireshark-dev-bounces@...] <span>On
Behalf Of </span>Tom Stevens<br><span>Sent:</span> Wednesday, August 27, 2008
2:24 PM<br><span>To:</span> wireshark-dev <at> wireshark.org<br><span>Subject:</span> [Wireshark-dev] heuristic
Dissector vs. normal dissector</span><p></p></p>

</div>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<div>

<p class="MsoNormal"><span>Hi!<br><br>
What are the differences between a heuristic dissector and a normal dissector.
So far i have not considered heuristic dissectors, because I did not know what
they are and how to use them.<br>
Maybe you can help!<br><br>
Thanks in advance Tom (Germany)<p></p></span></p>

</div>

</div>

</div>

headers

Tom Stevens | 27 Aug 23:56

Re: heuristic Dissector vs. normal dissector

Thanks for the information!

But, without a Port number, how can wireshark find (identify) the correct dissector for the incoming packets. What are specific criteria? Maybe you can give me an example. I'm a bit slow on the uptake at the moment.

Greetings Tom (Germany)

2008/8/27 Kumar, Hemant <kumarh-zC7DfRvBq/JWk0Htik3J/w@public.gmane.org>

Basically Heuristic Dissector means that your dissector will accept all the Traffic Packets and will not segregate based on port number.

So to identify your own custom dissector protocol messages you have to separate out the packets based on certain criteria specific to your

Protocol.

And a normal dissector is registered with the Wireshark based on port information which tells the Wireshark on which port your message is

Going to be exchanges.

I hope it clarifies.

Hemant.

From: wireshark-dev-bounces-IZ8446WsY0/dtAWm4Da02A@public.gmane.org [mailto:wireshark-dev-bounces-IZ8446WsY0/dtAWm4Da02A@public.gmane.org] On Behalf Of Tom Stevens
Sent: Wednesday, August 27, 2008 2:24 PM
To: wireshark-dev-IZ8446WsY0/dtAWm4Da02A@public.gmane.org
Subject: [Wireshark-dev] heuristic Dissector vs. normal dissector

Hi!

What are the differences between a heuristic dissector and a normal dissector. So far i have not considered heuristic dissectors, because I did not know what they are and how to use them.
Maybe you can help!

Thanks in advance Tom (Germany)

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev-IZ8446WsY0/dtAWm4Da02A@public.gmane.org
https://wireshark.org/mailman/listinfo/wireshark-dev

<div><div dir="ltr">Thanks for the information!<br><br>But, without a Port number, how can wireshark find (identify) the correct dissector for the incoming packets. What are specific criteria? Maybe you can give me an example.<span> I'm a bit slow on the uptake at the moment.</span><br><br>Greetings Tom (Germany)<br><br><br><br><div class="gmail_quote">2008/8/27 Kumar, Hemant <span dir="ltr">&lt;<a href="mailto:kumarh@...">kumarh@...</a>&gt;</span><br><blockquote class="gmail_quote">

<div link="blue" vlink="purple" lang="EN-US">

<div>

<p><span>Basically Heuristic Dissector means that
your dissector will accept all the Traffic Packets and will not segregate based
on port number.</span></p>

<p><span>So to identify your own custom dissector
protocol messages you have to separate out the packets based on certain criteria
specific to your </span></p>

<p><span>Protocol.</span></p>

<p><span>And a normal dissector is registered with
the Wireshark &nbsp;based on port information which tells the Wireshark on which
port your message is</span></p>

<p><span>Going to be exchanges.</span></p>

<p><span>&nbsp;</span></p>

<p><span>I hope it clarifies.</span></p>

<p><span>&nbsp;</span></p>

<p><span>Hemant.</span></p>

<p><span>&nbsp;</span></p>

<div>

<div align="center"><span>

</span></div>

<p><span>From:</span><span>
<a href="mailto:wireshark-dev-bounces@..." target="_blank">wireshark-dev-bounces@...</a>
[mailto:<a href="mailto:wireshark-dev-bounces@..." target="_blank">wireshark-dev-bounces@...</a>] <span>On
Behalf Of </span>Tom Stevens<br><span>Sent:</span> Wednesday, August 27, 2008
2:24 PM<br><span>To:</span> <a href="mailto:wireshark-dev@..." target="_blank">wireshark-dev@...</a><br><span>Subject:</span> [Wireshark-dev] heuristic
Dissector vs. normal dissector</span></p>

</div>
<div>
<div></div>
<div class="Wj3C7c">

<p><span>&nbsp;</span></p>

<div>

<p><span>Hi!<br><br>
What are the differences between a heuristic dissector and a normal dissector.
So far i have not considered heuristic dissectors, because I did not know what
they are and how to use them.<br>
Maybe you can help!<br><br>
Thanks in advance Tom (Germany)</span></p>

</div>

</div>
</div>
</div>

</div>

<br>_______________________________________________<br>
Wireshark-dev mailing list<br><a href="mailto:Wireshark-dev@...">Wireshark-dev@...</a><br><a href="https://wireshark.org/mailman/listinfo/wireshark-dev" target="_blank">https://wireshark.org/mailman/listinfo/wireshark-dev</a><br><br>
</blockquote>
</div>
<br>
</div></div>

headers

Kumar, Hemant | 28 Aug 00:11

Re: heuristic Dissector vs. normal dissector

The Wireshark will not identify your dissector.

Basically lets assume your protocol dissector runs under TCP then , if you have heuristically registered

Your dissector with the ffunction

heur_dissector_add("tcp", dissect_your_protocol_tcp, proto_your protocolrefernce);

From: wireshark-dev-bounces-IZ8446WsY0/dtAWm4Da02A@public.gmane.org [mailto:wireshark-dev-bounces-IZ8446WsY0/dtAWm4Da02A@public.gmane.org] On Behalf Of Tom Stevens
Sent: Wednesday, August 27, 2008 2:57 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] heuristic Dissector vs. normal dissector

2008/8/27 Kumar, Hemant <kumarh-zC7DfRvBq/JWk0Htik3J/w@public.gmane.org>

Basically Heuristic Dissector means that your dissector will accept all the Traffic Packets and will not segregate based on port number.

So to identify your own custom dissector protocol messages you have to separate out the packets based on certain criteria specific to your

Protocol.

And a normal dissector is registered with the Wireshark based on port information which tells the Wireshark on which port your message is

Going to be exchanges.

I hope it clarifies.

Hemant.

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev-IZ8446WsY0/dtAWm4Da02A@public.gmane.org
https://wireshark.org/mailman/listinfo/wireshark-dev

<div>

<div class="Section1">

<p class="MsoNormal"><span>The Wireshark will not identify your dissector.<p></p></span></p>

<p class="MsoNormal"><span>Basically lets assume your protocol
dissector runs under TCP then , if you have heuristically registered <p></p></span></p>

<p class="MsoNormal"><span>Your dissector with the ffunction <p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>heur_dissector_add</span><span>("tcp",
</span><span>dissect_your_protocol_tcp</span><span>,
proto_your protocolrefernce);</span><span><p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<div>

<div class="MsoNormal" align="center"><span>

</span></div>

<p class="MsoNormal"><span>From:</span><span>
wireshark-dev-bounces@...
[mailto:wireshark-dev-bounces@...] <span>On
Behalf Of </span>Tom Stevens<br><span>Sent:</span> Wednesday, August 27, 2008
2:57 PM<br><span>To:</span> Developer support list for
Wireshark<br><span>Subject:</span> Re: [Wireshark-dev]
heuristic Dissector vs. normal dissector</span><p></p></p>

</div>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<div>

<p class="MsoNormal"><span>Thanks for the
information!<br><br>
But, without a Port number, how can wireshark find (identify) the correct
dissector for the incoming packets. What are specific criteria? Maybe you can
give me an example. I'm a bit slow on the uptake at the moment.<br><br>
Greetings Tom (Germany)<br><br><br><p></p></span></p>

<div>

<p class="MsoNormal"><span>2008/8/27 Kumar, Hemant &lt;<a href="mailto:kumarh@...">kumarh@...</a>&gt;<p></p></span></p>

<div link="blue" vlink="purple">

<div>

<p><span>Basically Heuristic Dissector means that your dissector will
accept all the Traffic Packets and will not segregate based on port number.</span><p></p></p>

<p><span>So to identify your own custom dissector protocol messages
you have to separate out the packets based on certain criteria specific to your
</span><p></p></p>

<p><span>Protocol.</span><p></p></p>

<p><span>And a normal dissector is registered with the Wireshark
&nbsp;based on port information which tells the Wireshark on which port your
message is</span><p></p></p>

<p><span>Going to be exchanges.</span><p></p></p>

<p><span>&nbsp;</span><p></p></p>

<p><span>I hope it clarifies.</span><p></p></p>

<p><span>&nbsp;</span><p></p></p>

<p><span>Hemant.</span><p></p></p>

<p><span>&nbsp;</span><p></p></p>

<div>

<div class="MsoNormal" align="center"><span>

</span></div>

<p><span>From:</span><span> <a href="mailto:wireshark-dev-bounces@..." target="_blank">wireshark-dev-bounces@...</a>
[mailto:<a href="mailto:wireshark-dev-bounces@..." target="_blank">wireshark-dev-bounces@...</a>]
<span>On Behalf Of </span>Tom Stevens<br><span>Sent:</span> Wednesday, August 27, 2008
2:24 PM<br><span>To:</span> <a href="mailto:wireshark-dev@..." target="_blank">wireshark-dev <at> wireshark.org</a><br><span>Subject:</span> [Wireshark-dev] heuristic
Dissector vs. normal dissector</span><p></p></p>

</div>

<div>

<div>

<p><span>&nbsp;<p></p></span></p>

<div>

<p><span>Hi!<br><br>
What are the differences between a heuristic dissector and a normal dissector.
So far i have not considered heuristic dissectors, because I did not know what
they are and how to use them.<br>
Maybe you can help!<br><br>
Thanks in advance Tom (Germany)<p></p></span></p>

</div>

</div>

</div>

</div>

</div>

<p class="MsoNormal"><span><br>
_______________________________________________<br>
Wireshark-dev mailing list<br><a href="mailto:Wireshark-dev@...">Wireshark-dev@...</a><br><a href="https://wireshark.org/mailman/listinfo/wireshark-dev" target="_blank">https://wireshark.org/mailman/listinfo/wireshark-dev</a><p></p></span></p>

</div>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

</div>

</div>

</div>

headers

Kumar, Hemant | 28 Aug 00:14

Re: heuristic Dissector vs. normal dissector

Please ignore the previous response.

So The Wireshark will not identify your dissector.

Basically lets assume your protocol dissector runs under TCP then , if you have heuristically registered

Your dissector with the function

heur_dissector_add("tcp", dissect_your_protocol_tcp, proto_your protocolrefernce);

Then TCP will handle the payload to your dissector for further parsing.

Now if you know that the first two bytes of the payload are a identifier

For your proticol then you can confirm it and then only accept

To dissect to that packet otherwise you can reject that.

That what I mean by setting certain criteria to filter out your interest of packets.

Thanks

Hemant

From: Kumar, Hemant
Sent: Wednesday, August 27, 2008 3:11 PM
To: 'Developer support list for Wireshark'
Subject: RE: [Wireshark-dev] heuristic Dissector vs. normal dissector

The Wireshark will not identify your dissector.

Basically lets assume your protocol dissector runs under TCP then , if you have heuristically registered

Your dissector with the ffunction

heur_dissector_add("tcp", dissect_your_protocol_tcp, proto_your protocolrefernce);

From: wireshark-dev-bounces-IZ8446WsY0/dtAWm4Da02A@public.gmane.org [mailto:wireshark-dev-bounces-IZ8446WsY0/dtAWm4Da02A@public.gmane.org] On Behalf Of Tom Stevens
Sent: Wednesday, August 27, 2008 2:57 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] heuristic Dissector vs. normal dissector

2008/8/27 Kumar, Hemant <kumarh-zC7DfRvBq/JWk0Htik3J/w@public.gmane.org>

Basically Heuristic Dissector means that your dissector will accept all the Traffic Packets and will not segregate based on port number.

So to identify your own custom dissector protocol messages you have to separate out the packets based on certain criteria specific to your

Protocol.

And a normal dissector is registered with the Wireshark based on port information which tells the Wireshark on which port your message is

Going to be exchanges.

I hope it clarifies.

Hemant.

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev-IZ8446WsY0/dtAWm4Da02A@public.gmane.org
https://wireshark.org/mailman/listinfo/wireshark-dev

<div>

<div class="Section1">

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>Please ignore the previous response.<p></p></span></p>

<p class="MsoNormal"><span>So The Wireshark will not identify your
dissector.<p></p></span></p>

<p class="MsoNormal"><span>Basically lets assume your protocol
dissector runs under TCP then , if you have heuristically registered <p></p></span></p>

<p class="MsoNormal"><span>Your dissector with the function <p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>heur_dissector_add</span><span>("tcp", <span>dissect_your_protocol_tcp</span>,
proto_your protocolrefernce);<p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>Then TCP will handle the payload to your
dissector for further parsing.<p></p></span></p>

<p class="MsoNormal"><span>Now if you know that the first two bytes
of the payload are a identifier <p></p></span></p>

<p class="MsoNormal"><span>For your proticol then you can confirm it
and then only accept <p></p></span></p>

<p class="MsoNormal"><span>To dissect to that packet otherwise you
can reject that.<p></p></span></p>

<p class="MsoNormal"><span>That what I mean by setting certain
criteria to filter out your interest of packets.<p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>Thanks<p></p></span></p>

<p class="MsoNormal"><span>Hemant</span><span><p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<div>

<div class="MsoNormal" align="center"><span>

</span></div>

<p class="MsoNormal"><span>From:</span><span> Kumar, Hemant <br><span>Sent:</span> Wednesday, August 27, 2008
3:11 PM<br><span>To:</span> 'Developer support list for
Wireshark'<br><span>Subject:</span> RE: [Wireshark-dev]
heuristic Dissector vs. normal dissector</span><p></p></p>

</div>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>The Wireshark will not identify your
dissector.<p></p></span></p>

<p class="MsoNormal"><span>Basically lets assume your protocol
dissector runs under TCP then , if you have heuristically registered <p></p></span></p>

<p class="MsoNormal"><span>Your dissector with the ffunction <p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>heur_dissector_add</span><span>("tcp",
</span><span>dissect_your_protocol_tcp</span><span>,
proto_your protocolrefernce);</span><span><p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<div>

<div class="MsoNormal" align="center"><span>

</span></div>

<p class="MsoNormal"><span>From:</span><span>
wireshark-dev-bounces@...
[mailto:wireshark-dev-bounces@...] <span>On
Behalf Of </span>Tom Stevens<br><span>Sent:</span> Wednesday, August 27, 2008
2:57 PM<br><span>To:</span> Developer support list for
Wireshark<br><span>Subject:</span> Re: [Wireshark-dev]
heuristic Dissector vs. normal dissector</span><p></p></p>

</div>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<div>

<p class="MsoNormal"><span>Thanks for the
information!<br><br>
But, without a Port number, how can wireshark find (identify) the correct dissector
for the incoming packets. What are specific criteria? Maybe you can give me an
example. I'm a bit slow on the uptake at the moment.<br><br>
Greetings Tom (Germany)<br><br><p></p></span></p>

<div>

<p class="MsoNormal"><span>2008/8/27 Kumar, Hemant &lt;<a href="mailto:kumarh@...">kumarh@...</a>&gt;<p></p></span></p>

<div link="blue" vlink="purple">

<div>

<p><span>Basically Heuristic Dissector means that your dissector will
accept all the Traffic Packets and will not segregate based on port number.</span><p></p></p>

<p><span>So to identify your own custom dissector protocol messages
you have to separate out the packets based on certain criteria specific to your
</span><p></p></p>

<p><span>Protocol.</span><p></p></p>

<p><span>And a normal dissector is registered with the Wireshark
&nbsp;based on port information which tells the Wireshark on which port your
message is</span><p></p></p>

<p><span>Going to be exchanges.</span><p></p></p>

<p><span>&nbsp;</span><p></p></p>

<p><span>I hope it clarifies.</span><p></p></p>

<p><span>&nbsp;</span><p></p></p>

<p><span>Hemant.</span><p></p></p>

<p><span>&nbsp;</span><p></p></p>

<div>

<div class="MsoNormal" align="center"><span>

</span></div>

<p><span>From:</span><span> <a href="mailto:wireshark-dev-bounces@..." target="_blank">wireshark-dev-bounces@...</a>
[mailto:<a href="mailto:wireshark-dev-bounces@..." target="_blank">wireshark-dev-bounces@...</a>]
<span>On Behalf Of </span>Tom Stevens<br><span>Sent:</span> Wednesday, August 27, 2008
2:24 PM<br><span>To:</span> <a href="mailto:wireshark-dev@..." target="_blank">wireshark-dev <at> wireshark.org</a><br><span>Subject:</span> [Wireshark-dev] heuristic
Dissector vs. normal dissector</span><p></p></p>

</div>

<div>

<div>

<p><span>&nbsp;<p></p></span></p>

<div>

<p><span>Hi!<br><br>
What are the differences between a heuristic dissector and a normal dissector.
So far i have not considered heuristic dissectors, because I did not know what
they are and how to use them.<br>
Maybe you can help!<br><br>
Thanks in advance Tom (Germany)<p></p></span></p>

</div>

</div>

</div>

</div>

</div>

<p class="MsoNormal"><span><br>
_______________________________________________<br>
Wireshark-dev mailing list<br><a href="mailto:Wireshark-dev@...">Wireshark-dev@...</a><br><a href="https://wireshark.org/mailman/listinfo/wireshark-dev" target="_blank">https://wireshark.org/mailman/listinfo/wireshark-dev</a><p></p></span></p>

</div>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

</div>

</div>

</div>

headers

Jeff Morriss | 28 Aug 00:25

Re: heuristic Dissector vs. normal dissector


Wireshark will first[1] try giving a given packet to port-registered 
dissectors.  If any of them accept the message, it's done.  If none of 
them take the message (or there are no port-registered dissectors on 
that port), Wireshark will give the packet to each heuristic TCP 
dissector, one after the other, until one accepts the packet.

[1] TCP has a "try heuristic subdissectors first" option which makes it 
try the heuristic dissectors before the port-registered ones.

Tom Stevens wrote:
> Thanks for the information!
> 
> But, without a Port number, how can wireshark find (identify) the 
> correct dissector for the incoming packets. What are specific criteria? 
> Maybe you can give me an example. I'm a bit slow on the uptake at the 
> moment.
> 
> Greetings Tom (Germany)
> 
> 
> 
> 2008/8/27 Kumar, Hemant <kumarh@... <mailto:kumarh@...>>
> 
>     Basically Heuristic Dissector means that your dissector will accept
>     all the Traffic Packets and will not segregate based on port number.
> 
>     So to identify your own custom dissector protocol messages you have
>     to separate out the packets based on certain criteria specific to your
> 
>     Protocol.
> 
>     And a normal dissector is registered with the Wireshark  based on
>     port information which tells the Wireshark on which port your message is
> 
>     Going to be exchanges.
> 
>      
> 
>     I hope it clarifies.
> 
>      
> 
>     Hemant.
> 
>      
> 
>     ------------------------------------------------------------------------
> 
>     *From:* wireshark-dev-bounces@...
>     <mailto:wireshark-dev-bounces@...>
>     [mailto:wireshark-dev-bounces@...
>     <mailto:wireshark-dev-bounces@...>] *On Behalf Of *Tom Stevens
>     *Sent:* Wednesday, August 27, 2008 2:24 PM
>     *To:* wireshark-dev@... <mailto:wireshark-dev@...>
>     *Subject:* [Wireshark-dev] heuristic Dissector vs. normal dissector
> 
>      
> 
>     Hi!
> 
>     What are the differences between a heuristic dissector and a normal
>     dissector. So far i have not considered heuristic dissectors,
>     because I did not know what they are and how to use them.
>     Maybe you can help!
> 
>     Thanks in advance Tom (Germany)
> 
> 
>     _______________________________________________
>     Wireshark-dev mailing list
>     Wireshark-dev@... <mailto:Wireshark-dev@...>
>     https://wireshark.org/mailman/listinfo/wireshark-dev
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@...
> https://wireshark.org/mailman/listinfo/wireshark-dev