Wireshark mailing list archives

Re: Dissector for a custom protocol which starts as HTTP

From: Eugène Adell <eugene.adell () gmail com>
Date: Wed, 17 Apr 2019 06:39:36 +0200

Hello,

in the Wireshark GUI did you try the "Decode As" functionality ? You
get it in the right-clic on a packet (or in Analyze menu). You also
can have a look at Analyze -> Enabled protocols.

see : https://www.wireshark.org/docs/wsug_html_chunked/ChUseAnalyzeMenuSection.html

Eugene

Le mar. 16 avr. 2019 à 23:22, David Ameiss <netshark () ameissnet com> a écrit :


I've developed a dissector for a custom protocol used by my company. The
protocol starts out as HTTP, as in an HTTP GET, but after that uses the
"custom" part - not HTTP at all.

The problem I'm running into is that, once a conversation is identified
by the HTTP dissector as being HTTP (due to the first message, which IS
HTTP), it stays that way. My dissector isn't called. I've added my
dissector as a heuristic dissector for HTTP, but that doesn't seem to
help. And unfortunately (since subsequent packets are not HTTP) I don't
have Content-Type to steer the packets my way.

Subsequent packets appear as HTTP Continuation, BTW.

Is there some way to tell HTTP not to treat following packets for that
conversation as HTTP, and to pass them to my dissector? Or a way to call
the HTTP dissector (from my dissector) for the first packet WITHOUT it
being "marked" as HTTP forever and ever?

--
David Ameiss
netshark () ameissnet com
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Dissector for a custom protocol which starts as HTTP David Ameiss (Apr 16)
- Re: Dissector for a custom protocol which starts as HTTP Eugène Adell (Apr 16)
- Re: Dissector for a custom protocol which starts as HTTP Peter Wu (Apr 17)