Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sctp & heuristic dissecting

From: Guy Harris <guy () alum mit edu>
Date: Wed, 28 Nov 2012 15:44:04 -0800

On Nov 28, 2012, at 6:53 AM, Cristian Constantin <const.crist () googlemail com> wrote:


what I do not understand is why are functions like:

dissector_try_heuristic
guint8_pbrk
dissect_sip_common

called since:

1. the sctp chunks do NOT contain the data of any application level protocol


How is the SCTP dissector to know that except by checking all the heuristic dissectors registered with it?  This 
includes the SIP dissector (which does the heuristic checking by calling dissect_sip_common() with the is_heur argument 
set to TRUE).  That code tries to find a line ending and, if that fails, returns -2, which, in this case, is 
interpreted as "not SIP".


2. the ports used are NOT the default sip ports..


SIP is registered as a heuristic dissector for UDP, TCP, and SCTP, so the port numbers don't matter.  The whole point 
of registering a dissector as a heuristic dissector is so that it can be called even if there's no "protocol ID" field 
(a port field isn't a protocol ID field).


3. in the Edit/Preferences/Protocols/SCTP window, _none_ of:
a. "Try heuristic sub-dissectors first"


That's "first", i.e. "before the PPI/port dissectors", as opposed to "last", i.e. "after the PPI/port dissectors", not 
"first" as opposed to "not at all".


b. "Dissect upper layer protocols
are checked.


Which version of Wireshark is this?  In the top-of-trunk packet-sctp.c, if enable_ulp_dissection is FALSE, the 
heuristic dissectors and the PPI/port dissectors aren't called, so if "Dissect upper layer protocols" is un-checked (it 
defaults to TRUE, so you have to explicitly un-check it), those shouldn't be called.


otoh, why is it trying to dissect sip and not diameter for example??


Because the Diameter dissector doesn't register itself as a heuristic dissector atop any protocol, while the SIP 
dissector, as noted above, registers itself as a heuristic dissector atop UDP, TCP, and SCTP.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: