Re: why cannot I use heur_dissector_add("ip", .....

[John x <xiachangqin66 () hotmail com>]

I see, Thanks

but here I want to use ip.ttl to instruct wireshark to handoff packet to my dissector. 

In my specific situation, ip.ttl is my only way to distinguish my packets. 
Do you have any suggestions?

Thanks again

 

> From: guy () alum mit edu
> Date: Sat, 25 Jun 2011 23:04:43 -0700
> To: wireshark-dev () wireshark org
> Subject: Re: [Wireshark-dev] why cannot I use heur_dissector_add("ip", .....
>
>
> On Jun 25, 2011, at 10:26 PM, John x wrote:
>
> > Why cannot I use ip, like: heur_dissector_add("ip", dissect_PROTOABBREV, proto_PROTOABBREV);   ?
>
> Because IP has a protocol number field, and protocols running on top of IP are supposed to have a protocol number 
> assigned to them, so a dissector for the protocol does not *need* to be a heuristic dissector - it just needs to 
> register itself with the "ip.proto" protocol table with the protocol number.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe