Hi,
I've written a wireshark dissector for communication between industrial
control systems, which come as payload of cotp packets.
But the packets are displayed as T.125 protocol, until I disable this
protocol in wireshark settings to get my own dissector working.
For myself I have no problem with this, but I have hosted this project
at sourceforge and there are other users of this plugin, so it would be
nice when it could be fixed.
I have checked the relevant source files for the T.125 dissector:
/asn1/t125/packet-t125-template.c
The first heuristic check is:
(ber_class==BER_CLASS_APP) && ((tag>=101) && (tag<=104)))
The first "ber" checking could not be the problem, because it checks
only the first byte of the cotp-payload, and my the first byte of my
protocol is always 0x32. And (0x32 >> 6) & 0x03 is not equal to
BER_CLASS_APP, which is 1.
So the second check (reminescence to Douglas Adams?) with the magical 42
comes in:
(choice_index <=42)
The check is marked with a comment:
/* is this strong enough ? */
And I would answer: No, it is not.
I've taken a look into the relevant source file "packet-per.c", where
"choice_index" is the function parameter "val".
But "val" is several times calculated, shifted and so on, that I don't
know what value comes out.
Is there a possibilitiy to make the heuristic check of the T.125
protocol stronger?
--
Thomas Wiens