Wireshark-users: Re: [Wireshark-users] DCERPC over TCP

From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>
Date: Tue, 27 Dec 2011 01:36:39 +0100
Hi,

> Note that the TCP dissector has a preference to:
>
>        "Try to decode a packet using an heuristic sub-dissector before using
> a sub-dissector registered to a specific port",

I am looking at a Wireshark snapshot that contains traffic between
various clients and one TCP server port 135 (DCERPC over TCP). For the
client port 2152 (gtp-user) the detected protocol in Wireshark is GTP
instead of DCERPC, showing "For future use" and "Unknown extension
header" in its details. Though, removing the registered TCP port in
the GTP protocol in Wireshark's preferences results in these packets
to be (correctly) dissected as DCERPC.

Shouldn't the heuristic sub-dissector for DCERPC be favored over the
port-registered GTP dissector.

Cheers,
Andrej