On Jan 25, 2004, at 5:43 AM, Yaniv Kaul wrote:
It seems that if TCP's 'Try heuristic sub-dissectors first' is not
checked, if it's not a valid HTTP, it determines it's 'Continuation'.
Perhaps it should try the heuristic first, and only if they all fail,
regard it as 'continuation' ?
To what does "it" refer?
The TCP dissector is the one that tries heuristic and port-based
dissectors; the *HTTP* dissector is the one that marks something as
continuation. There are two different "it"s involved there.
"It", in the sense of the TCP dissector, should try the heuristic
dissectors first iff, well, the "Try heuristic sub-dissectors first"
flag is set, as that's what the flag means.
Whether the HTTP dissector should *reject* packets that don't start
with an HTTP request or reply line is another matter. If that's done,
that would allow the heuristic dissectors to get TCP segments to or
from port 80 that don't start with an HTTP request or reply line, so
that packets that aren't HTTP won't be shown as HTTP continuations;
however, it also means that if you don't do TCP header and data
reassembly, packets that *ARE* continuations of HTTP requests or
replies from previous TCP segments won't be marked as such (and even
some that are might not be, if the HTTP request or reply has a body but
doesn't have a "Content-length" header).
In my case, it was Yahoo! Messenger running on port 80.
There does not, I suspect, exist a way that will cause Ethereal
*always* to do the right thing for TCP and UDP, given that port number
<-> protocol assignments are hints, not requirements.