Wireshark-dev: Re: [Wireshark-dev] Two dissectors on same TCP port?

From: Alex Lindberg <alindber@xxxxxxxxx>
Date: Wed, 30 Sep 2009 13:21:44 -0700 (PDT)
In my specific case, the custom protocol runs on the same TCP port as the h248 MEGACO protocol and relays custom information between a media gateway its controller.

The custom protocol uses what I would call a "magic cookie" as the first 4 bytes following the tpkt part of the h248 message.  These bytes are chosen because they would never appear if the data contained was true h248.

At the moment, I have added code to the h.248 dissector to check for this byte stream and call the custom dissector if they are detected.

I would suppose that code could be added to packet-h248.c that would look for true h248 data.  If not found, return all data back to wireshark.  This might be a good thing anyhow.  If this approach where followed, would wireshark then look for any other registered dissectors that on the h248 port?

Thanks for your assistance.

Alex Lindberg

--- On Wed, 9/30/09, Guy Harris <guy@xxxxxxxxxxxx> wrote:

From: Guy Harris <guy@xxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] Two dissectors on same TCP port?
To: "Developer support list for Wireshark" <wireshark-dev@xxxxxxxxxxxxx>
Date: Wednesday, September 30, 2009, 1:43 PM


On Sep 30, 2009, at 11:30 AM, Alex Lindberg wrote:

> I am creating a custom dissector that runs on a TCP port already 
> covered by one of the standard dissectors.
>
> How do can I overload the dissector registration so that if the 
> unique condistion exist for my custom dissector my dissector will be 
> used, otherwise pass control back to Wireshark?

What is the unique condition?

Is it something in the contents of the packet, or is it a preference 
setting, or is it something else?

One way to do this would be to make your dissector a heuristic 
dissector, have it check for the port number and the unique condition 
(if there's a match, dissect and return TRUE, otherwise return FALSE), 
and set the TCP preference to run the heuristic dissectors first.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe