Wireshark-users: Re: [Wireshark-users] Wireshark 1.0 unable to dissect DICOM capture

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 1 May 2008 08:41:25 +0200

On Wed, Apr 30, 2008 at 01:19:09PM -0400, Bob Woods wrote:
> Attached is a small DICOM echo capture, for some reason Wireshark 1.0 is
> unable to dissect it.  Any ideas?

Well, I took a look at the dicom dissector (epan/dissectors/packet-dcm.c)
and in the heuristics to determine if a packet can be dissected as dicom
are the following checks:

  if (10 > (tlen = tvb_reported_length(tvb))     /* not long enough */
      || 1 != (pdu = tvb_get_guint8(tvb, 0))     /* look for the start */
      || 1 != (vers = tvb_get_ntohs(tvb, 6)))    /* not version 1 */
      dcm_data->valid = FALSE;

Looking at your trace file, the first packet is only 6 bytes in size, 
so the check will fail. The dicom dissector expects at least 10 bytes in 
the first packet.

Either the dicom dissector is not aware of all the protocol variations
*or* the conversation you captured is not following the dicom specification.

If you are sure that the conversation is indeed dicom, you might want
to file a bug-report on http://bugzilla.wireshark.org 

Please attach the capture file and as much information that you can 
find about what application created this conversation (preferably with
a dicom protocol version, if that can be found in the documentation
of the application).

That way we might be able to implement the support for it in the future.

Cheers,
   Sake