Heuristic Dissector is never called

asked 2021-03-04 19:32:07 +0000

Sedictious gravatar image

updated 2021-03-04 19:32:56 +0000

Hello! I was trying to write a dissector for a custom protocol. The supposed protocol has a specific sync word so I tried to make my dissector be port-agnostic that simply searches for the specified word in the beginning of the header.

Here's a sketch of the code:

 static int
    dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *foo_proto_tree, void* data){
    // build protocol tree...
}

static gboolean
frame_sync_test_foo(tvbuff_t *tvb)
{
    if (tvb_strncaseeql(tvb, UDP_OFFSET, "FOOBAR", 6) == 0) {
        return TRUE;
    }
    return FALSE;
}

static gboolean
dissect_foo_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
    if ( !frame_sync_test_foo(tvb) ) {
        return FALSE;
    }
    dissect_foo(tvb, pinfo, tree, data);
    return TRUE;
}

void
proto_reg_handoff_foo(void)
{
    static dissector_handle_t foo_handle;
    foo_handle = create_dissector_handle(dissect_foo, proto_foo);
    register_dissector("FOO", dissect_foo, proto_foo);
    heur_dissector_add("udp", dissect_foo_heur, "FOO (UDP)", "foo_udp", proto_foo, HEURISTIC_ENABLE);
}

void proto_register_foo(void)
{
/* Setup protocol subtree array */
    static gint *ett[] = {
        &ett_foo,
        &ett_foo_primary_hdr,
        &ett_foo_secondary_hdr
    };

    // set-up header files...   

    proto_foo = proto_register_protocol("FOO", "FOOBAR", "foo");

    proto_register_field_array(proto_foo, hf, array_length(hf));
    proto_register_subtree_array(ett, array_length(ett));
}

After compiling, my protocol is registered as expected (meaning that I can see my protocol in the list of available protocols and its hash table contains all the fields I set up), but I couldn't dissect any packet. I generated a few UDP packets and while I'd expect the UDP payload to be dissected according to my protocol (granted its first few bytes match the ones of the sync word), I don't get anything (note that I have the Try heuristic dissectors first option enabled).

Also what perplexes me even more, is the fact that dissect_foo_heur is never called, which I don't find to be reasonable since the UDP payload doesn't match with any other dissector. That means that Wireshark doesn't ever consider checking my dissector when receiving a UDP packet.

Is there anything wrong with my code or am I misunderstanding something in the way that heuristic dissectors are supposed to work (sorry for the noob question :P)

edit retag flag offensive close merge delete

Comments

Does your dissector show up in the udp heuristic table? Look in View -> Internal -> Dissector Tables and search for udp. Does the data show up as "data" under udp indicating that the default data dissector has been called?

grahamb gravatar imagegrahamb ( 2021-03-04 20:04:47 +0000 )edit

For your first question the answer is yes, it shows up as expected. I'm not sure I got your second question though. I can see the header of the UDP packet, but the packet I actually sent simply shows up as UDP Payload.

Sedictious gravatar imageSedictious ( 2021-03-04 22:51:14 +0000 )edit

If the udp dissector can't find either a port configured dissector or a heuristic one that will handle the payload, it's handed off to the generic "data" dissector. See the wiki page for the "data" protocol.

grahamb gravatar imagegrahamb ( 2021-03-05 10:30:13 +0000 )edit

Sure but if I understand correctly, when receiving a chunk of "data", Wireshark tries to find a suitable sub-dissector and it cycles through all the "candidate dissector". Problem is, dissect_foo_heur isn't ever called, despite my data simply being labeled simply as "UDP Payload"

Sedictious gravatar imageSedictious ( 2021-03-05 10:48:43 +0000 )edit

As you note, this doesn't appear to be happening for your dissector, I'm trying to find out what is happening.

Personally I would fire up the debugger and look in packet-udp where it attempts to hand off the data to sub-dissectors.

grahamb gravatar imagegrahamb ( 2021-03-05 10:59:11 +0000 )edit

I'd guess tvb_strncaseeql(tvb, UDP_OFFSET, "FOOBAR", 6) newer matches. But as Graham says a debugger or debug output would prove if the function is called or not.

Anders gravatar imageAnders ( 2021-03-05 11:42:44 +0000 )edit

I don't think it was apparent , but I actually have a "debugger" that simply outputs a string (aka a poor man's debugger) and that's how I know that dissect_foo_heur is never called. I guess I just have to dig deeper and fire up the real debugger to find out what's wrong

Sedictious gravatar imageSedictious ( 2021-03-05 16:26:12 +0000 )edit