Wireshark-bugs: [Wireshark-bugs] [Bug 4822] WTP+WSP packets incorrectly dissected as Foundation
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4822
--- Comment #1 from Bill Meier <wmeier@xxxxxxxxxxx> 2010-06-03 22:27:29 EDT ---
(In reply to comment #0)
> Created an attachment (id=4722)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4722) [details]
> A bunch of WTP+WSP packets that are incorrectly dissected
>
> I'm unsure if there's a heuristic to determine whether or not traffic bound
> for UDP port 9201 is either Foundation FieldBus, WTP+WSP or something else,
> although it appears that the packets in the attached capture file are being
> incorrectly dissected as Foundation FieldBus by default.
The reason that the frames are dissected as FF is that the frames have a UDP
"port pair" of 1089/9021 (where 1089 is the assigned UDP port for FF)
and that:
The Wireshark UDP dissector tries to decide which port of a pair to use first
when determining a "sub-dissector" as follows:
>From the UDP dissector source code:
/* Do lookups with the subdissector table.
We try the port number with the lower value first, followed by the
port number with the higher value. This means that, for packets
where a [different] dissector is registered for *both* port numbers:
1) we pick the same dissector for traffic going in both directions;
2) we prefer the port number that's more likely to be the right
one (as that prefers well-known ports to reserved ports);
although there is, of course, no guarantee that any such strategy
will always pick the right port number.
*/
Currently the FF dissector is an "old-style" dissector which assumes that any
traffic on port 1089 is FF; that is: it makes no attempt to validate the
contents of the frame.
Note that a different approach (other than using Decode As) to cause the
desired dissection would be to disable the FF protocol (Analyze ! Enabled
Protocols); This approach has the advantage that the change can be saved as a
permanent change.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.