Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Dissector for H1 protocol not called

From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Thu, 20 Jul 2006 18:06:37 +0800


Thomas Boehne wrote:
Hello,

I was capturing H1 traffic, and for some TCP port combinations the H1
dissector was called for other combinations the generic "data"
dissector was used. Can somebody tell me why? I thought the
packet-h1.c dissector would dissect all packets that start with "S5",
but apperently the dissector is not called at all for some packets
(see attached files H1-ok.pcap and H1-nok.pcap). If I manually change
the ports in H1-nok.pcap, the dissector is called.

If I set the TCP preference "Try heuristic dissectors first?" then the "nok" file shows up as H1 for me.

Without that option set, heuristic dissectors are called only if

- no dissector is registered on, for example, one of the TCP ports in the packet in question - or (if there is a dissector registered for that port) and that dissector is a "new style" dissector (which does some heuristics and returns FALSE if the packet does not look like it belongs to that dissector) and it returns FALSE

The "nok" file has a TCP segment between ports 1030 and 2000.  Looking in:

http://www.iana.org/assignments/port-numbers

we can see that port 2000 is registered to "Cisco SCCP" which Wireshark has a dissector for (it's called "Skinny" in Wireshark). Sure enough, "packet-skinny.c" is not a new style dissector (it returns void), so it's what's eating your packet.

(This can be verified by disabling the Skinny dissector; again, your "nok" packet shows up as H1.)


The Skinny dissector actually has some heuristics in it:

  if (hdr_data_length < 4 || hdr_reserved != 0) {
    /* Not an SKINNY packet, just happened to use the same port */
    call_dissector(data_handle,tvb, pinfo, tree);
    return;
  }

so it could easily be converted to a new-style dissector (by returning FALSE here) which should fix your problem.