[chuck c <bubbasnmp@xxxxxxxxx>]

Open an enhancement request: https://wiki.wireshark.org/WishList

Helps if you can attach a sample capture file.

On Wed, Nov 30, 2022 at 2:33 AM Ariel Burbaickij <ariel.burbaickij@xxxxxxxxx> wrote:

>The heuristic for SIP doesn't do any validation before passing the data to the main SIP dissector:

>https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-sip.c#L3398

Yes, thank you for pointing out where it happens, pretty thin-layer of heuristics, indeed ;-).

> You could disable protocol "sip_udp" to prevent it from being called.

We cannot, as this would disable it over well-known UDP port 5060 as well and there we would like to keep it.

Instead of all these contortions why not to introduce the logic matching the one for TCP ports ? Seems pretty natural and general to me.

Kind Regards

Ariel Burbaickij

On Tue, Nov 29, 2022 at 4:43 PM chuck c <bubbasnmp@xxxxxxxxx> wrote:

The heuristic for SIP doesn't do any validation before passing the data to the main SIP dissector:
https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-sip.c#L3398

You could disable protocol "sip_udp" to prevent it from being called.

Or if you would like to test a development build (4.1.0rc0) https://www.wireshark.org/download/automated/, it is possible to set "Decode as..." for a UDP Port to the "Data" dissector.

11.4.2. User Specified Decodes
https://www.wireshark.org/docs/wsug_html/#ChAdvDecodeAs

Unable to disable decoding
https://gitlab.com/wireshark/wireshark/-/issues/12098

decode as: Add data dissector to all tables that support Decode As
https://gitlab.com/wireshark/wireshark/-/merge_requests/7180

On Tue, Nov 29, 2022 at 8:08 AM Ariel Burbaickij <ariel.burbaickij@xxxxxxxxx> wrote:

Hello Jaap, all,

nothing there as well.

Kind Regards

Ariel Burbaickij

On Mon, Nov 28, 2022 at 9:23 PM Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:

Hi,

Have you looked at the table in Analyse | Decode As...  ?

Thanks,
Jaap

> On 28 Nov 2022, at 16:51, Ariel Burbaickij <ariel.burbaickij@xxxxxxxxx> wrote:
>
> Hello all,
> we observe that wireshark correctly decodes SIP over non-standard UPD port, even where it is undesirable for our purposes in this case. All options that we are aware of that would control such behaviour like trying heuristic dissectors are on OFF.  So, how is it done (analyzing the text behind the UDP header?) and how can it be prevented ?
>
> Kind Regards
> Ariel Burbaickij
>
> 
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe