Wireshark-dev: Re: [Wireshark-dev] Dissector for a custom protocol which starts as HTTP

From: Eugène Adell <eugene.adell@xxxxxxxxx>
Date: Wed, 17 Apr 2019 06:39:36 +0200
Hello,

in the Wireshark GUI did you try the "Decode As" functionality ? You
get it in the right-clic on a packet (or in Analyze menu). You also
can have a look at Analyze -> Enabled protocols.

see : https://www.wireshark.org/docs/wsug_html_chunked/ChUseAnalyzeMenuSection.html

Eugene

Le mar. 16 avr. 2019 à 23:22, David Ameiss <netshark@xxxxxxxxxxxxx> a écrit :
>
> I've developed a dissector for a custom protocol used by my company. The
> protocol starts out as HTTP, as in an HTTP GET, but after that uses the
> "custom" part - not HTTP at all.
>
> The problem I'm running into is that, once a conversation is identified
> by the HTTP dissector as being HTTP (due to the first message, which IS
> HTTP), it stays that way. My dissector isn't called. I've added my
> dissector as a heuristic dissector for HTTP, but that doesn't seem to
> help. And unfortunately (since subsequent packets are not HTTP) I don't
> have Content-Type to steer the packets my way.
>
> Subsequent packets appear as HTTP Continuation, BTW.
>
> Is there some way to tell HTTP not to treat following packets for that
> conversation as HTTP, and to pass them to my dissector? Or a way to call
> the HTTP dissector (from my dissector) for the first packet WITHOUT it
> being "marked" as HTTP forever and ever?
>
> --
> David Ameiss
> netshark@xxxxxxxxxxxxx
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe