Wireshark · Wireshark-users: Re: [Wireshark-users] wireshark keeps on decoding SIP over UDP on non-standard port despite all usua

Wireshark-users: Re: [Wireshark-users] wireshark keeps on decoding SIP over UDP on non-standard p

Date: Tue, 29 Nov 2022 09:42:59 -0600

The heuristic for SIP doesn't do any validation before passing the data to the main SIP dissector:
https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-sip.c#L3398

You could disable protocol "sip_udp" to prevent it from being called.

Or if you would like to test a development build (4.1.0rc0) https://www.wireshark.org/download/automated/, it is possible to set "Decode as..." for a UDP Port to the "Data" dissector.

11.4.2. User Specified Decodes
https://www.wireshark.org/docs/wsug_html/#ChAdvDecodeAs

Unable to disable decoding
https://gitlab.com/wireshark/wireshark/-/issues/12098

decode as: Add data dissector to all tables that support Decode As
https://gitlab.com/wireshark/wireshark/-/merge_requests/7180

On Tue, Nov 29, 2022 at 8:08 AM Ariel Burbaickij <ariel.burbaickij@xxxxxxxxx> wrote:

Hello Jaap, all,
nothing there as well.

Kind Regards
Ariel Burbaickij

On Mon, Nov 28, 2022 at 9:23 PM Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:
Hi,

Have you looked at the table in Analyse | Decode As... ?

Thanks,
Jaap

> On 28 Nov 2022, at 16:51, Ariel Burbaickij <ariel.burbaickij@xxxxxxxxx> wrote:
>
> Hello all,
> we observe that wireshark correctly decodes SIP over non-standard UPD port, even where it is undesirable for our purposes in this case. All options that we are aware of that would control such behaviour like trying heuristic dissectors are on OFF. So, how is it done (analyzing the text behind the UDP header?) and how can it be prevented ?
>
> Kind Regards
> Ariel Burbaickij
>
>
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Follow-Ups:
- Re: [Wireshark-users] wireshark keeps on decoding SIP over UDP on non-standard port despite all usual suspects on OFF
  - From: Ariel Burbaickij

References:
- [Wireshark-users] wireshark keeps on decoding SIP over UDP on non-standard port despite all usual suspects on OFF
  - From: Ariel Burbaickij
- Re: [Wireshark-users] wireshark keeps on decoding SIP over UDP on non-standard port despite all usual suspects on OFF
  - From: Jaap Keuter
- Re: [Wireshark-users] wireshark keeps on decoding SIP over UDP on non-standard port despite all usual suspects on OFF
  - From: Ariel Burbaickij

Prev by Date: Re: [Wireshark-users] wireshark keeps on decoding SIP over UDP on non-standard port despite all usual suspects on OFF
Next by Date: Re: [Wireshark-users] wireshark keeps on decoding SIP over UDP on non-standard port despite all usual suspects on OFF
Previous by thread: Re: [Wireshark-users] wireshark keeps on decoding SIP over UDP on non-standard port despite all usual suspects on OFF
Next by thread: Re: [Wireshark-users] wireshark keeps on decoding SIP over UDP on non-standard port despite all usual suspects on OFF
Index(es):
- Date
- Thread