Thomas Boehne wrote:
Hello,
I was capturing H1 traffic, and for some TCP port combinations the H1
dissector was called for other combinations the generic "data"
dissector was used. Can somebody tell me why? I thought the
packet-h1.c dissector would dissect all packets that start with "S5",
but apperently the dissector is not called at all for some packets
(see attached files H1-ok.pcap and H1-nok.pcap). If I manually change
the ports in H1-nok.pcap, the dissector is called.
If I set the TCP preference "Try heuristic dissectors first?" then the
"nok" file shows up as H1 for me.
Without that option set, heuristic dissectors are called only if
- no dissector is registered on, for example, one of the TCP ports in
the packet in question
- or (if there is a dissector registered for that port) and that
dissector is a "new style" dissector (which does some heuristics and
returns FALSE if the packet does not look like it belongs to that
dissector) and it returns FALSE
The "nok" file has a TCP segment between ports 1030 and 2000. Looking in:
http://www.iana.org/assignments/port-numbers
we can see that port 2000 is registered to "Cisco SCCP" which Wireshark
has a dissector for (it's called "Skinny" in Wireshark). Sure enough,
"packet-skinny.c" is not a new style dissector (it returns void), so
it's what's eating your packet.
(This can be verified by disabling the Skinny dissector; again, your
"nok" packet shows up as H1.)
The Skinny dissector actually has some heuristics in it:
if (hdr_data_length < 4 || hdr_reserved != 0) {
/* Not an SKINNY packet, just happened to use the same port */
call_dissector(data_handle,tvb, pinfo, tree);
return;
}
so it could easily be converted to a new-style dissector (by returning
FALSE here) which should fix your problem.
