Wireshark-dev: Re: [Wireshark-dev] Using port numbers to determine next dissector

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 7 Apr 2009 09:49:37 -0700

On Apr 7, 2009, at 1:52 AM, Rayne wrote:

** What do you mean by "'Decode As' mechanism"?

Select, for example, a UDP packet, and select "Decode As" from the "Analyze" menu. The "Transport" tag is probably displayed; if not, select it. It should offer the option of dissecting the packet's UDP source port number, the packet's UDP destination port number, or both port numbers as one of a list of protocols.

** I was thinking more in general terms. If traffic from another protocol is wrongly classified as Protocol A, how do I determine what protocol it actually belongs to?

If "I" refers to you as a Wireshark user, you'd look at the raw hex data and see what the packet looks like.

If "I" refers to you as a Wireshark dissector writer, you'd make your dissector look at the raw binary data handed to it and see whether it looks like one of its packets or not.

There doesn't exist a magical general solution that always arranges that packets are dissected by the right dissector.

Unless there's some flavor of GTP version 1 documented elsewhere that runs over TCP ports 2123 or 2152, the GTP dissector shouldn't register for those ports, just for UDP ports 2123 and 2152.

** That's what I thought, but I saw packets classified as GTP with TCP port 2152 listed as their source or destination ports.

When I said "shouldn't", I meant it in a prescriptive sense, rather than a descriptive sense - unless there's some way in which GTPv1 runs over TCP ports 2123 or 2152, it's not correct for the GTP dissector to register for those ports (that's the prescriptive sense of "shouldn't"), but it *does* register for them ("shouldn't" in the descriptive sense would have meant "the dissector doesn't register for those ports, so there's no way it could be handed those packets").