ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 4822] WTP+WSP packets incorrectly dissected as Foundation

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 3 Jun 2010 19:27:33 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4822

--- Comment #1 from Bill Meier <wmeier@xxxxxxxxxxx> 2010-06-03 22:27:29 EDT ---
(In reply to comment #0)
> Created an attachment (id=4722)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4722) [details]
> A bunch of WTP+WSP packets that are incorrectly dissected
> 
> I'm unsure if there's a heuristic to determine whether or not traffic bound 
> for UDP port 9201 is either Foundation FieldBus, WTP+WSP or something else,
> although it appears that the packets in the attached capture file are being
> incorrectly dissected as Foundation FieldBus by default.

The reason that the frames are dissected as FF is that the frames have a UDP
"port pair" of 1089/9021 (where 1089 is the assigned UDP port for FF)

and that:

The Wireshark UDP dissector tries to decide which port of a pair to use first
when determining a "sub-dissector" as follows:

>From the UDP dissector source code:
  /* Do lookups with the subdissector table.
     We try the port number with the lower value first, followed by the
     port number with the higher value.  This means that, for packets
     where a [different] dissector is registered for *both* port numbers:

    1) we pick the same dissector for traffic going in both directions;

    2) we prefer the port number that's more likely to be the right
       one (as that prefers well-known ports to reserved ports);

     although there is, of course, no guarantee that any such strategy
     will always pick the right port number.
  */

Currently the FF dissector is an "old-style" dissector which assumes that any
traffic on port 1089 is FF; that is: it makes no attempt to validate the
contents of the frame.

Note that a different approach (other than using Decode As) to cause the
desired dissection would be to disable the FF protocol (Analyze ! Enabled
Protocols); This approach has the advantage that the change can be saved as a
permanent change.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube