Wireshark-dev: Re: [Wireshark-dev] Dissector for H1 protocol not called
From: Jeff Morriss <[email protected]>
Date: Thu, 20 Jul 2006 18:06:37 +0800

Thomas Boehne wrote:

I was capturing H1 traffic, and for some TCP port combinations the H1
dissector was called for other combinations the generic "data"
dissector was used. Can somebody tell me why? I thought the
packet-h1.c dissector would dissect all packets that start with "S5",
but apperently the dissector is not called at all for some packets
(see attached files H1-ok.pcap and H1-nok.pcap). If I manually change
the ports in H1-nok.pcap, the dissector is called.
If I set the TCP preference "Try heuristic dissectors first?" then the 
"nok" file shows up as H1 for me.
Without that option set, heuristic dissectors are called only if

- no dissector is registered on, for example, one of the TCP ports in the packet in question - or (if there is a dissector registered for that port) and that dissector is a "new style" dissector (which does some heuristics and returns FALSE if the packet does not look like it belongs to that dissector) and it returns FALSE
The "nok" file has a TCP segment between ports 1030 and 2000.  Looking in:


we can see that port 2000 is registered to "Cisco SCCP" which Wireshark has a dissector for (it's called "Skinny" in Wireshark). Sure enough, "packet-skinny.c" is not a new style dissector (it returns void), so it's what's eating your packet.
(This can be verified by disabling the Skinny dissector; again, your 
"nok" packet shows up as H1.)

The Skinny dissector actually has some heuristics in it:

  if (hdr_data_length < 4 || hdr_reserved != 0) {
    /* Not an SKINNY packet, just happened to use the same port */
    call_dissector(data_handle,tvb, pinfo, tree);
so it could easily be converted to a new-style dissector (by returning 
FALSE here) which should fix your problem.