Brian Vandenberg wrote:
As far as I can tell, basically, I can't use a heuristic dissector to
dissect anything http has already looked at if another dissector has
registered itself as a subdissector for the given port. Is that about
accurate?
Yes.
The same problem exists with TCP or UDP if the "Try heuristic
sub-dissectors first" preference isn't set. If it *is* set, a heuristic
dissector with too-weak heuristics (i.e., one that accepts packets that
aren't for the protocol in question) can grab packets not for it and not
let dissectors registered for ports see the packets.
Perhaps the HTTP dissector should have a similar preference.
BTW, does your protocol (which I assume runs atop HTTP) have a
Content-Type (media type) value associated with it? If so, you might
want to register that media type in the "media_type" string dissector table.