Thomas Anders wrote:
> If UDP packets in the same capture use the same (non-well-known) source
> port for different protocols, the first dissector "wins", i.e. tries
> to dissect all those packets, even for the other protocols.
> Even worse, I've been unable to change this behaviour with "Decode As".
>
> The attached sample capture file illustrate the problem. The first
> two packets (SNMP) are dissected fine in my Ethereal (CVS), but the
> other three (TFTP) are not, because they're dissected as SNMP.
>
> Am I missing something obvious? Otherwise, can there anything be done
> about it?
>
The SNMP dissector starts up a "conversation" to handle some specific
scenario (as described in the source code
extract below). Conversations has highest priority when Ethereal selects
what dissector to call.
It is currently not possible for the SNMP disector to reject the packet if
it doesn't look like an SNMP packet and get the
packet dissected based on port number or similar.
One way of solving this particular problem could maybe be to add a
preference setting in SNMP
dissector that specifies if it should start up a conversation.
There is then of course a risk that some SNMP packets are not decoded as
SNMP automatically if you don't
have that setting.
/*
* The first SNMP packet goes to the SNMP port; the second one
* may come from some *other* port, but goes back to the same
* IP address and port as the ones from which the first packet
* came; all subsequent packets presumably go between those two
* IP addresses and ports.
*
* If this packet went to the SNMP port, we check to see if
* there's already a conversation with one address/port pair
* matching the source IP address and port of this packet,
* the other address matching the destination IP address of this
* packet, and any destination port.
*
* If not, we create one, with its address 1/port 1 pair being
* the source address/port of this packet, its address 2 being
* the destination address of this packet, and its port 2 being
* wildcarded, and give it the SNMP dissector as a dissector.
*/
if (pinfo->destport == UDP_PORT_SNMP) {
conversation = find_conversation(&pinfo->src, &pinfo->dst, PT_UDP,
pinfo->srcport, 0, NO_PORT_B);
if (conversation == NULL) {
conversation = conversation_new(&pinfo->src, &pinfo->dst, PT_UDP,
pinfo->srcport, 0, NO_PORT2);
conversation_set_dissector(conversation, snmp_handle);
}
}