Wireshark-dev: Re: [Wireshark-dev] [Patch] Fix for bug #1163: "Dissector bug. ISO8073COTP proto
From: "Graeme Lunt" <[email protected]>
Date: Wed, 8 Nov 2006 14:34:25 +0100

> This patch (r19733) breaks the dissection of X.400 and X.500
> protocols, and probably other things besides. I think that the
> heuristic is incorrect.

Oops, sorry about that.  Do you know where I can get a copy of the
standard so I can fix the heuristic in a better way?
No problem. I'll see what I can find but ...

... I suspect the issue is in the COTP dissector and that it shouldn't
be calling the Session dissector on COTP user data.

Look at ositp_decode_DT() in packet-clnp.c. It tries a heuristic
dissector list ("cotp_is") for inactive subset and if that fails uses
session. I'm not sure what protocol is being run on top of COTP but I
suspect it either isn't registered on the "copt_is" list or is not
successfully recognising the protocol.

Also, there seems to be an issue with inactive subset and COTP
reassembly there too - it calls the subdissector on each fragment as
well as the reassembled whole. However, I'm not very clear how
inactive subset is supposed to work!

Hope this helps. Let me know if I can help out any further with this issue.