Wireshark-dev: Re: [Wireshark-dev] How to create TVB to pass to dissector

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 12 May 2011 10:57:36 -0700
On May 12, 2011, at 12:53 AM, Anders Broman wrote:

> I don't think you should modify the packet but find a way to call the H.225 dissector directly, at a glance this seems to be done already
> for some case:
> Line 2895 call_dissector(h225_handle...

It's done already if:

	1) this is Q.931 "over IP" (where "over IP" is as defined in my previous message);

	2) there are at least 4 bytes available in the IE;

	3) the code set is 0;

	4) it's a user-user IE;
	
	5) the first octet past the IE length is 0x05, i.e. Q931_PROTOCOL_DISCRIMINATOR_ASN1, described as "X.208 and X.209 coded user information" (for which read "ASN.1 BER").

The problem in Alex Lindberg's case is presumably that the dissector doesn't think this is Q.931 "over IP", presumably because either

	1) it really *isn't* over IP;

	2) it is over IP, but it's not over TPKT or over SCTP with a PPI of 13.