select a dissector by magic in header

asked 2021-02-01 13:45:23 +0000

clemens1509 gravatar image

Hi, I would like to select a dissector not only by a port number. I would like to select the dissector by[0-4] = "magic" . For port I use dissector_add_uint. How I can do it for such an expression above ?


2 Answers

answered 2021-02-01 16:12:44 +0000

Chuckc gravatar image

Have you looked at README.heuristic ?
"A HD looks into the first few packet bytes and searches for common patterns that are specific to the protocol in question."

Thanks heuristics works.

clemens1509 gravatar imageclemens1509 ( 2021-02-01 16:45:42 +0000 )edit

answered 2021-02-01 19:59:57 +0000

Chuckc gravatar image

Answer in comments.

@Chuckc: I don't know whether everybody's allowed to do this, but there's a "convert to answer" link below a comment, after the "edit" link, so at least some people can convert a comment to an answer; I did that with your comment. (It's a bit more work to move responses to your answer under the new answer - you have to convert those comments to answers and then convert them back to comments "under older answer".)

Guy Harris gravatar imageGuy Harris ( 2021-02-02 03:06:38 +0000 )edit

Thanks! Looks like the Karma level for that is 2000 - How does karma system work? which is good. Graham and Jaap are still training me. :-)

Chuckc gravatar imageChuckc ( 2021-02-02 03:30:11 +0000 )edit

