I will consider about it
thanks
> From: g...@alum.mit.edu
> Date: Sun, 26 Jun 2011 14:17:37 -0700
> To: wireshark-dev@wireshark.org
> Subject: Re: [Wireshark-dev] why cannot I use heur_dissector_add("ip", .
>
>
> On Jun 26, 2011, at 2:09 PM, John x
On Jun 26, 2011, at 2:09 PM, John x wrote:
> these packets run directly atop IP, any suggestions?
1) Get a protocol number from the IANA and use it, instead of some hack
based on the TTL value.
2) Hack the IP dissector in a private version of Wireshark.
these packets run directly atop IP, any suggestions?
Thanks
> From: g...@alum.mit.edu
> Date: Sun, 26 Jun 2011 13:48:07 -0700
> To: wireshark-dev@wireshark.org
> Subject: Re: [Wireshark-dev] why cannot I use heur_dissector_add("ip", .
>
>
> On Jun 26,
On Jun 26, 2011, at 1:44 PM, John x wrote:
> Yes it is that TTL changes in-flight. But my packets are captured on a
> specific link, there are only 2 or 3 kinds of packets. The way to distinguish
> them is only the TTL value.
So these packets run *directly* atop IP?
Or do they run atop UDP or
my 3 different dissectors?
Thanks
> From: g...@alum.mit.edu
> Date: Sun, 26 Jun 2011 11:58:17 -0700
> To: wireshark-dev@wireshark.org
> Subject: Re: [Wireshark-dev] why cannot I use heur_dissector_add("ip", .
>
>
> On Jun 25, 2011, at 11:45 PM, John x wrote
On Jun 25, 2011, at 11:45 PM, John x wrote:
> but here I want to use ip.ttl to instruct wireshark to handoff packet to my
> dissector.
Why? The TTL value changes in-flight, so it cannot be meaningfully used to
distinguish what protocol is being carried in an IP packet.
> In my specific situa
-0700
> To: wireshark-dev@wireshark.org
> Subject: Re: [Wireshark-dev] why cannot I use heur_dissector_add("ip", .
>
>
> On Jun 25, 2011, at 10:26 PM, John x wrote:
>
> > Why cannot I use ip, like: heur_dissector_add("ip", dissect_PROTOABBREV,
On Jun 25, 2011, at 10:26 PM, John x wrote:
> Why cannot I use ip, like: heur_dissector_add("ip", dissect_PROTOABBREV,
> proto_PROTOABBREV); ?
Because IP has a protocol number field, and protocols running on top of IP are
supposed to have a protocol number assigned to them, so a dissector fo
the following is an example from README.heuristic
---
void
proto_reg_handoff_PROTOABBREV(void)
{
static int PROTOABBREV_inited = FALSE;
if ( !PROTOABBREV_inited )
{
/* register as heuristic dissector for both TCP and UDP */
heur_dissector_
