Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Http dissector - Am I missing something?

From: "Bryant Eastham" <beastham@xxxxxxxxxxx>
Date: Thu, 7 Sep 2006 09:58:13 -0600
All-

I have done several plugin dissectors in the past for internal
protocols, all TCP- and UDP-based. I am now trying to add a plugin for a
protocol that uses HTTP as the transport. Easy, I thought! Well, not so
easy it appears.

I am confused by the logic in packet-http.c around line 1059: 

		if (handle == NULL && headers.content_type != NULL) {
			/*
			 * We didn't find any subdissector that
			 * registered for the port, and we have a
			 * Content-Type value.  Is there any
subdissector
			 * for that content type?
			 */
			save_private_data = pinfo->private_data;

			if (headers.content_type_parameters)
				pinfo->private_data =
ep_strdup(headers.content_type_parameters);
			else
				pinfo->private_data = NULL;
			/*
			 * Calling the string handle for the media type
			 * dissector table will set pinfo->match_string
			 * to headers.content_type for us.
			 */
			pinfo->match_string = headers.content_type;
			handle = dissector_get_string_handle(
			    media_type_subdissector_table,
			    headers.content_type);
			/*
			 * Calling the default media handle otherwise
			 */
			if (handle == NULL) {
			    handle = media_handle;
			}
		}

This seems to imply that if I have a content-type, then I cannot have a
heuristic subdissector. The reason is the last line, that forces the
handle to "media_handle".

Here is my issue: our protocol uses content-type as
"application/octet-stream", the contents being binary. We identify our
packets (besides the URL) with a type modifier on the content-type that
is specific to our protocol. Unfortunately, the logic as I understand it
for handling content-type is too specific to handle this situation (no
one dissector should handle all "application/octet-stream" packets,
right?).

This seems like a case for a heuristic subdissector, but that is
disabled by the forcing of handle to media_handle.

I seem to remember that changes were made to resolve this issue a while
ago, but maybe I was dreaming...

What am I missing?

Bryant Eastham
Chief Architect
Panasonic Electric Works Laboratory of America, Inc.
Salt Lake City Lab
4525 South Wasatch Blvd., Suite 100, Salt Lake City, Utah 84124
Phone : 801.993.7124 Email: beastham@xxxxxxxxxxx
Fax: 801.993.7260 Web: http://slc.mew.com <http://slc.mew.com/>