On May 27, 2009, at 2:26 PM, Bryant Eastham wrote:
Q: Does “dissector_add” differentiate between src and dst port? [I
think not, the registration is by name and the dissector (TCP)
chooses how to use it.]
No.
Q: Does wireshark prioritize between built-in vs. plugin dissectors?
[I think not.]
No.
Q: Does wireshark prioritize between dissectors based on matches on
src vs. dst port?
No.
It prioritizes based on the port number; lower port numbers are
preferred to higher port numbers, as they're more likely to be well-
known ports.
My fundamental issue is that I would expect that priority be given
to the dissector on the *server* (dst) port, as it is the more
likely to be standardized vs. ephemeral.
The destination port is the server port only for requests. If the
capture includes the entire session, all the way back to the initial
SYN, and we remember, for each new TCP connection, the source and
destination ports for the initial SYN, we can determine, for packets
in that connection, which port is the "client" port and which the
"server" port.