Does your protocol use an Upgrade header? If so, you can register with the http.upgrade dissector table.
Search also for "upgrade" in https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-http.c
Once control is handed to http, I don't think you can change it. Protocols like SMTP that use STARTTLS do something like this:
- Protocol starts being decoded as SMTP
- SMTP signals STARTTLS, so SMTP calls into the TLS dissector to let it know that everything after this packet is TLS with SMTP embedded.
- Due to that call TLS becomes the conversation dissector, but because it had a special case for detecting where TLS actually starts, it will reject earlier traffic, giving others a chance to handle it.
See "last_nontls_frame" in
https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-tls.c
https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-tls-utils.c
Kind regards,
Peter
https://lekensteyn.nl
(pardon my brevity, top-posting and formatting, sent from my phone)
On April 16, 2019 10:20:46 PM GMT+01:00, David Ameiss <netshark@xxxxxxxxxxxxx> wrote:
>I've developed a dissector for a custom protocol used by my company.
>The
>protocol starts out as HTTP, as in an HTTP GET, but after that uses the
>
>"custom" part - not HTTP at all.
>
>The problem I'm running into is that, once a conversation is identified
>
>by the HTTP dissector as being HTTP (due to the first message, which IS
>
>HTTP), it stays that way. My dissector isn't called. I've added my
>dissector as a heuristic dissector for HTTP, but that doesn't seem to
>help. And unfortunately (since subsequent packets are not HTTP) I don't
>
>have Content-Type to steer the packets my way.
>
>Subsequent packets appear as HTTP Continuation, BTW.
>
>Is there some way to tell HTTP not to treat following packets for that
>conversation as HTTP, and to pass them to my dissector? Or a way to
>call
>the HTTP dissector (from my dissector) for the first packet WITHOUT it
>being "marked" as HTTP forever and ever?
>
>--
>David Ameiss
>netshark@xxxxxxxxxxxxx
>___________________________________________________________________________
>Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>Archives: https://www.wireshark.org/lists/wireshark-dev
>Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe