Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How to properly use heuristic dissector for TCP

I am trying to implement a heuristic dissector for TCP packets.

On the README.heuristic, it says that

"Once a packet for a particular "connection" has been identified as belonging to a particular protocol, Wireshark should then be set up to always directly call the dissector for that protocol. This removes the overhead of having to identify each packet of the connection heuristically."

I am not very sure what this "should be set up to always directly call the dissector for that protocol" mean. Does it mean that whenever the first packet is identified, the subsequent packets in the TCP stream will be automatically identified correctly?

I have tried to implement a heuristic dissector for TCP that only identifies the first incoming packet of the stream I want. It seems that it only identifies the first packet but not the subsequent ones in the stream.

If the heuristic for TCP is applied to all packets individually. I am not sure if the sample code for heuristic dissector makes sense. The sample code seems to try to identify the first few bytes of the packets individually. However, this may not work in real life because TCP packets may be fragmented arbitrarily by hardware if the information sent is too long. If the heuristic is done this way, will some of the fragmented TCP packets be miss identified?

Please advise.