I have a pcap with 2 packets over udp, with the same port.
I want my heuristic dissector to recognize only the second packet as my protocol.
So i want to have 1 udp packet and second will be my dissector protocol.
My dissector is based on a magic number at specific offset.
The second packet is recognized as my protocol by the heuristic dissector
And the first one is udp, and under the udp layer there is Malformed packet: rtp stats
And in expert information, i get Maflormed packet(Exception occured)
There are a lot of example, each one with different code (according to change in the api i beleive )
I tried with create_dissector_handle and without
void proto_reg_handoff_rtp_stats(void)
{
static gboolean initialized = FALSE;
//static dissector_handle_t rtp_stats_handle;
if (!initialized) {
//rtp_stats_handle = create_dissector_handle(dissect_rtp_stats, proto_rtp_stats);
initialized = TRUE;
heur_dissector_add("udp", dissect_rtp_heur_stats, "rtp stats on udp(heuristic)","rtp-stats", proto_rtp_stats,HEURISTIC_ENABLE);
}
And here is the heuristic checker version,
static gboolean
dissect_rtp_heur_stats(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
uint32_t nMagicNumber = tvb_get_ntohl(tvb, 12);
if(nMagicNumber!=0xCACAD0D0)
{
col_clear(pinfo->cinfo, COL_INFO);
return FALSE;
}
printf("rtp stats %X",nMagicNumber );
return (dissect_rtp_stats(tvb,pinfo, tree,data)!= 0);
}
