Wireshark-users: Re: [Wireshark-users] stack mms/COTP/CLNP

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 09 Aug 2006 12:00:50 -0700

Anders Broman wrote:

Should we look into the possibility of adding a preference to the PRES
dissector where you can "force" a certain context to be dissected by a
higher layer dissector such as MMS?

How would you identify the context if you don't have the presentation context identifier?

What we might *really* want is a mechanism by which a dissector that fails to find a sub-dissector can, if it would make sense for the user to explicitly indicate the sub-dissector to be used, can indicate that? This would create a data structure for the current frame (it wouldn't have to be persistent, as it'd be recreated whenever the frame was selected) with some indication of what to display as the item to be "decoded as", something to indicate which of the dissectors should be offered as choices, and a routine to call back. At least in Wireshark, the "Decode As" code would add additional tabs to the dialog for this, and would call the callback if you click "OK" and have selected that tab.

In the case of the PRES dissector, the "item to be decoded as" would be something to indicate to the user that it's the context, the list of dissectors would be all the dissectors registered with register_ber_oid_dissector(), and the callback would internally associate the OID for the selected dissector with the context.

We might be able to use this for the DCE RPC "decode as" function as well.

(In fact, we could have dissectors use this even in cases where a sub-dissector *was* found, if we want to allow users to override the decision; that might let us get rid of the "Decode as" code that knows about Ethertypes, IP protocols, and TCP/UDP ports, if we add a few more items to the data structure in question.