Hello,
sorry I was a little too late with my last answer.
Guy Harris wrote:
On Wednesday, July 23, 2003, at 4:40 PM, Guy Harris wrote:
On Monday, July 21, 2003, at 4:38 AM, Lars Roland wrote:
the attached patch adds a new preference to the tcp-dissector.
You can decide, if you want the tcp dissector looking for a matching
heuristic subdissector before looking for a registered port or the
other way round. Last one is default, so the actual mechanism won't
change without setting the new preference.
Perhaps UDP should have a similar preference.
It should. I've checked in your patch plus a change to do the same for
UDP.
There might be other dissectors for which this should be done as well.
(Another possibility would be to have "weak" and "strong" heuristic
dissectors, where a "weak" one is likely to have false hits but a
"strong" one isn't; we could check the "strong" ones before the port
numbers and the "weak" ones after. Or we could have a numerical
strength value, with stronger ones checked before weaker ones, and the
halfway point between the minimum and maximum strength being the split
between "strong" ones and "weak" ones. However, that's a bit
complicated, and people might not choose the right strength.)
A nice idea. If people could set the strenght via preference, they can
handle any situation problematic situation. I think a boolean value is
enough. Just weak or strong. And default should be weak for all. This
option is a solution, when standard procedure fails. And the actual
procedure is already very good, matching more than 99.99% of my
q931-over-tpkt traffic correctly.
Regards,
Lars
