On Nov 29, 2012, at 1:10 AM, Cristian Constantin <const.crist@xxxxxxxxxxxxxx> wrote:
> On Thu, Nov 29, 2012 at 12:44 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>>
>> On Nov 28, 2012, at 6:53 AM, Cristian Constantin <const.crist@xxxxxxxxxxxxxx> wrote:
>>
>>> what I do not understand is why are functions like:
>>>
>>> dissector_try_heuristic
>>> guint8_pbrk
>>> dissect_sip_common
>>>
>>> called since:
>>>
>>> 1. the sctp chunks do NOT contain the data of any application level protocol
>>
>> How is the SCTP dissector to know that except by checking all the heuristic dissectors registered with it? This includes the SIP dissector (which does the heuristic checking by calling dissect_sip_common() with the is_heur argument set to TRUE). That code tries to find a line ending and, if that fails, returns -2, which, in this case, is interpreted as "not SIP".
>
> cristian: how do I turn this sip heuristics off globally (i.e. for all
> the pcaps, all the transport level protocols)?
There's no single option to do that for all three transport layers.
For UDP and TCP, there's no option to do it at all.
For SCTP, there's the "Dissect upper layer protocols" preference, which turns off *all* subdissectors for SCTP, whether they're heuristic or not.
>> Which version of Wireshark is this? In the top-of-trunk packet-sctp.c, if enable_ulp_dissection is FALSE, the heuristic dissectors and the PPI/port dissectors aren't called, so if "Dissect upper layer protocols" is un-checked (it defaults to TRUE, so you have to explicitly un-check it), those shouldn't be called.
>
> cristian: wireshark 1.9.0 (SVN Rev 46217 from /trunk)
>
> here is how enable_ulp_dissection looks like in packet-sctp.c:
>
> static gboolean enable_ulp_dissection = TRUE;
Yes, which means that the *default* value of "Dissect upper layer protocols" is TRUE. However, if you open up the SCTP preferences, un-check "Dissect upper layer protocols", and save the preferences, that should change enable_ulp_dissection to FALSE *and* arrange that, when Wireshark is started up after that and reads the preferences file, enable_ulp_dissection will be set to FALSE before any capture file is read.
If that's not happening, there's a bug, probably in the preferences code.
> cristian: how exactly does a dissector register itself as a "heuristic
> dissector"?
By calling heur_dissector_add() with the first argument being the name of the heuristic dissector list to which to add the dissector and the second argument being the dissector function.
> is anything else besides sip dissector registering itself
> like this?
A number of dissectors register has heuristic dissectors for various protocols (i.e., in various protocols' heuristic dissector lists). The dissectors that register in the "sctp" heuristic dissector list, i.e. that register as heuristic dissectors for SCTP, are, in the trunk, JXTA and SIP.
