Re: sctp & heuristic dissecting

[Guy Harris <guy () alum mit edu>]

On Nov 29, 2012, at 1:10 AM, Cristian Constantin <const.crist () googlemail com> wrote:

> On Thu, Nov 29, 2012 at 12:44 AM, Guy Harris <guy () alum mit edu> wrote:
> > On Nov 28, 2012, at 6:53 AM, Cristian Constantin <const.crist () googlemail com> wrote:
> >
> > > what I do not understand is why are functions like:
> > >
> > > dissector_try_heuristic
> > > guint8_pbrk
> > > dissect_sip_common
> > >
> > > called since:
> > >
> > > 1. the sctp chunks do NOT contain the data of any application level protocol
> >
> > How is the SCTP dissector to know that except by checking all the heuristic dissectors registered with it?  This 
> > includes the SIP dissector (which does the heuristic checking by calling dissect_sip_common() with the is_heur 
> > argument set to TRUE).  That code tries to find a line ending and, if that fails, returns -2, which, in this case, 
> > is interpreted as "not SIP".
>
> cristian: how do I turn this sip heuristics off globally (i.e. for all
> the pcaps, all the transport level protocols)?

There's no single option to do that for all three transport layers.

For UDP and TCP, there's no option to do it at all.

For SCTP, there's the "Dissect upper layer protocols" preference, which turns off *all* subdissectors for SCTP, whether 
they're heuristic or not.

> > Which version of Wireshark is this?  In the top-of-trunk packet-sctp.c, if enable_ulp_dissection is FALSE, the 
> > heuristic dissectors and the PPI/port dissectors aren't called, so if "Dissect upper layer protocols" is un-checked 
> > (it defaults to TRUE, so you have to explicitly un-check it), those shouldn't be called.
>
> cristian: wireshark 1.9.0 (SVN Rev 46217 from /trunk)
>
> here is how enable_ulp_dissection looks like in packet-sctp.c:
>
> static gboolean enable_ulp_dissection = TRUE;

Yes, which means that the *default* value of "Dissect upper layer protocols" is TRUE.  However, if you open up the SCTP 
preferences, un-check "Dissect upper layer protocols", and save the preferences, that should change 
enable_ulp_dissection to FALSE *and* arrange that, when Wireshark is started up after that and reads the preferences 
file, enable_ulp_dissection will be set to FALSE before any capture file is read.

If that's not happening, there's a bug, probably in the preferences code.

> cristian: how exactly does a dissector register itself as a "heuristic
> dissector"?

By calling heur_dissector_add() with the first argument being the name of the heuristic dissector list to which to add 
the dissector and the second argument being the dissector function.

> is anything else besides sip dissector registering itself
> like this?

A number of dissectors register has heuristic dissectors for various protocols (i.e., in various protocols' heuristic 
dissector lists).  The dissectors that register in the "sctp" heuristic dissector list, i.e. that register as heuristic 
dissectors for SCTP, are, in the trunk, JXTA and SIP.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe