Hi,
Yesterday I've spent some time figuring out why the http2_tcp heuristic dissector wasn't working on my particular pcap. Turns out the reason is that tcpros_tcp was claiming the data before http_tcp could get a turn (http2_tcp is registered under http despite the _tcp in the name). In particular the function is_rosmsg in packet-tcpros.c returns true if one signed gint taken from the message is greater than another one (this is done by if( string_len > (msg_len - (4 + 8 + 4)) ) return FALSE;) This is enough for the data to be claimed by tcpros_tcp. For purely statistical reasons this will match about half of the packets it is given for detection. I'm assuming that there will be more non-users of the ROS protocol than there will be users, so I think a better default would be to have this heuristic disabled by default.
Alternatively I've noticed that this condition attempts to detect a string. There's one more string detection code in is_rosheaderfield, which also checks if the string fits within the available data, if its size is non-negative, and if it consists entirely of alpha-numerical ASCII characters. I have no idea if at least some of these checks could also be applied in is_rosmsg, but it should make the heuristic more manageable.
What do you think?