 | 1 | initial version |
I am not very sure what this "should be set up to always directly call the dissector for that protocol" mean. Does it mean that whenever the first packet is identified, the subsequent packets in the TCP stream will be automatically identified correctly?
No.
"Should" has multiple meanings; there's "Used to indicate obligation, duty, or correctness, typically when criticizing someone's actions.", as in "I think we should trust our people more", and there's "Used to indicate what is probable.", as in "the bus should arrive in a few minutes". You're reading it in the latter sense; it was intended in the former sense.
That sentence should probably be changed to "Wireshark must be then set up..." to avoid the ambiguity.
The way you set it up is to arrange that there's a "conversation" for the TCP connection, and assign a non-heuristic version of your dissector as the dissector for that conversation; see the sample dissect_PROTOABBREV_heur_tcp() routine in the README.heuristic file - it does exactly that.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
