Wireshark

  • Riverbed Technology
  • WinPcap
SHARKFEST '12 - Wireshark Developer and User Conference - June 24-27, 2012 - UC Berkeley, Clark Kerr Campus
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-dev: Re: [Wireshark-dev] Two dissectors on same TCP port?

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 30 Sep 2009 13:59:46 -0700


On Sep 30, 2009, at 1:21 PM, Alex Lindberg wrote:
In my specific case, the custom protocol runs on the same TCP port as the h248 MEGACO protocol and relays custom information between a media gateway its controller.
The custom protocol uses what I would call a "magic cookie" as the first 4 bytes following the tpkt part of the h248 message. 

In other words, the answer to my question
Is it something in the contents of the packet, or is it a preference setting, or is it something else?
is "it's something in the contents of the packet", so you should try my suggestion:
One way to do this would be to make your dissector a heuristic dissector, have it check for the port number and the unique condition (if there's a match, dissect and return TRUE, otherwise return FALSE), and set the TCP preference to run the heuristic dissectors first.
which would require no changes to Wireshark itself - you'd just have to set that TCP preference.
  • References:
    • Re: [Wireshark-dev] Two dissectors on same TCP port?
      • From: Alex Lindberg
  • Prev by Date: Re: [Wireshark-dev] Two dissectors on same TCP port?
  • Previous by thread: Re: [Wireshark-dev] Two dissectors on same TCP port?
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation