heuristic dissector - Malformed packet - Same port different protocol
I have a pcap with 2 packets over udp, with the same port.
I want my heuristic dissector to recognize only the second packet as my protocol.
So i want to have 1 udp packet and second will be my dissector protocol.
My dissector is based on a magic number at specific offset.
The second packet is recognized as my protocol by the heuristic dissector
And the first one is udp, and under the udp layer there is Malformed packet: rtp stats
And in expert information, i get Maflormed packet(Exception occured)
There are a lot of example, each one with different code (according to change in the api i beleive )
I tried with create_dissector_handle and without
void proto_reg_handoff_rtp_stats(void)
{
static gboolean initialized = FALSE;
//static dissector_handle_t rtp_stats_handle;
if (!initialized) {
//rtp_stats_handle = create_dissector_handle(dissect_rtp_stats, proto_rtp_stats);
initialized = TRUE;
heur_dissector_add("udp", dissect_rtp_heur_stats, "rtp stats on udp(heuristic)","rtp-stats", proto_rtp_stats,HEURISTIC_ENABLE);
}
And here is the heuristic checker version,
static gboolean
dissect_rtp_heur_stats(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
uint32_t nMagicNumber = tvb_get_ntohl(tvb, 12);
if(nMagicNumber!=0xCACAD0D0)
{
col_clear(pinfo->cinfo, COL_INFO);
return FALSE;
}
printf("rtp stats %X",nMagicNumber );
return (dissect_rtp_stats(tvb,pinfo, tree,data)!= 0);
}
I found my problem, it was crashing before the check , because i didn't check packet length
Not sure I get it, the rtp huer dissector claims a packet it shoudn't? You can dissable that particular dissector.
my dissector is rtp_stats, i don';t want to disable it