Wireshark · Wireshark-dev: [Wireshark-dev] sctp & heuristic dissecting

Wireshark-dev: [Wireshark-dev] sctp & heuristic dissecting

From: Cristian Constantin <const.crist@xxxxxxxxxxxxxx>

Date: Wed, 28 Nov 2012 15:53:58 +0100

hi!

I have used oprofile for profiling loading a pretty large sctp capture.
the sctp chunks are filled with zeroes (i.e. there is NO application
protocol involved)

here is the main part of the call trace:

CPU: AMD64 family10, speed 3e+06 MHz (estimated)
Counted CPU_CLK_UNHALTED events (Cycles outside of halt state) with a
unit mask of 0x00 (No
 unit mask) count 750000
samples  %        image name               symbol name
10063    30.1351  libwireshark.so.0.0.0    guint8_pbrk
1211      3.6265  libwireshark.so.0.0.0    compute_offset_length
952       2.8509  libwireshark.so.0.0.0    dissect_ip
885       2.6503  libwireshark.so.0.0.0    fast_ensure_contiguous
813       2.4346  libwireshark.so.0.0.0    tap_push_tapped_queue
691       2.0693  libwireshark.so.0.0.0    call_dissector_work
631       1.8896  libwireshark.so.0.0.0    dissect_packet
624       1.8687  libwireshark.so.0.0.0    dissect_frame
612       1.8327  libwireshark.so.0.0.0    ethertype
588       1.7608  libwireshark.so.0.0.0    check_offset_length_no_exception
578       1.7309  libwireshark.so.0.0.0    dissect_sctp_packet
563       1.6860  libwireshark.so.0.0.0    dissect_sctp_chunk
507       1.5183  libwireshark.so.0.0.0    tvb_reported_length_remaining
500       1.4973  libwireshark.so.0.0.0    emem_alloc_chunk
486       1.4554  libwireshark.so.0.0.0    except_setup_try
459       1.3745  libwireshark.so.0.0.0    call_dissector_through_handle
426       1.2757  libwireshark.so.0.0.0    in_cksum
410       1.2278  libwireshark.so.0.0.0    tvb_new_subset
409       1.2248  libwireshark.so.0.0.0    dissector_try_uint_new
401       1.2009  libwireshark.so.0.0.0    dissector_try_heuristic
381       1.1410  libwireshark.so.0.0.0    dissect_eth_common
325       0.9733  libwireshark.so.0.0.0    tvb_length_remaining
325       0.9733  libwireshark.so.0.0.0    tvb_new
319       0.9553  libwireshark.so.0.0.0    tvb_get_ntohl
311       0.9313  libwireshark.so.0.0.0    tvb_get_ntohs
302       0.9044  libwireshark.so.0.0.0    dissect_data_chunk
298       0.8924  libwireshark.so.0.0.0    tap_build_interesting
293       0.8774  libwireshark.so.0.0.0    tvb_get_guint8
273       0.8175  libwireshark.so.0.0.0    ensure_contiguous
269       0.8056  libwireshark.so.0.0.0    dissect_sctp
269       0.8056  libwireshark.so.0.0.0    dissect_vlan
251       0.7517  libwireshark.so.0.0.0    col_append_fstr
251       0.7517  libwireshark.so.0.0.0    dissector_try_uint
249       0.7457  libwireshark.so.0.0.0    col_set_str
239       0.7157  libwireshark.so.0.0.0    ensure_contiguous_no_exception
214       0.6409  libwireshark.so.0.0.0    emem_free_all
213       0.6379  libwireshark.so.0.0.0    epan_dissect_run_with_taps
203       0.6079  libwireshark.so.0.0.0    dissect_sip_common

what I do not understand is why are functions like:

dissector_try_heuristic
guint8_pbrk
dissect_sip_common

called since:

1. the sctp chunks do NOT contain the data of any application level protocol
2. the ports used are NOT the default sip ports..
3. in the Edit/Preferences/Protocols/SCTP window, _none_ of:
a. "Try heuristic sub-dissectors first"
b. "Dissect upper layer protocols
are checked.

otoh, why is it trying to dissect sip and not diameter for example??

thanks!
cristian

Follow-Ups:
- Re: [Wireshark-dev] sctp & heuristic dissecting
  - From: Guy Harris

Prev by Date: [Wireshark-dev] Enhance checkapi to check for non NULL terminated enum preferenses (enum_val_t)
Next by Date: [Wireshark-dev] Wireshark 1.8.4 is now available
Previous by thread: Re: [Wireshark-dev] Enhance checkapi to check for non NULL terminated enum preferenses (enum_val_t)
Next by thread: Re: [Wireshark-dev] sctp & heuristic dissecting
Index(es):
- Date
- Thread