Wireshark-dev: Re: [Wireshark-dev] sctp & heuristic dissecting

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 28 Nov 2012 15:44:04 -0800
On Nov 28, 2012, at 6:53 AM, Cristian Constantin <const.crist@xxxxxxxxxxxxxx> wrote:

> what I do not understand is why are functions like:
> 
> dissector_try_heuristic
> guint8_pbrk
> dissect_sip_common
> 
> called since:
> 
> 1. the sctp chunks do NOT contain the data of any application level protocol

How is the SCTP dissector to know that except by checking all the heuristic dissectors registered with it?  This includes the SIP dissector (which does the heuristic checking by calling dissect_sip_common() with the is_heur argument set to TRUE).  That code tries to find a line ending and, if that fails, returns -2, which, in this case, is interpreted as "not SIP".

> 2. the ports used are NOT the default sip ports..

SIP is registered as a heuristic dissector for UDP, TCP, and SCTP, so the port numbers don't matter.  The whole point of registering a dissector as a heuristic dissector is so that it can be called even if there's no "protocol ID" field (a port field isn't a protocol ID field).

> 3. in the Edit/Preferences/Protocols/SCTP window, _none_ of:
> a. "Try heuristic sub-dissectors first"

That's "first", i.e. "before the PPI/port dissectors", as opposed to "last", i.e. "after the PPI/port dissectors", not "first" as opposed to "not at all".

> b. "Dissect upper layer protocols
> are checked.

Which version of Wireshark is this?  In the top-of-trunk packet-sctp.c, if enable_ulp_dissection is FALSE, the heuristic dissectors and the PPI/port dissectors aren't called, so if "Dissect upper layer protocols" is un-checked (it defaults to TRUE, so you have to explicitly un-check it), those shouldn't be called.

> otoh, why is it trying to dissect sip and not diameter for example??

Because the Diameter dissector doesn't register itself as a heuristic dissector atop any protocol, while the SIP dissector, as noted above, registers itself as a heuristic dissector atop UDP, TCP, and SCTP.