Wireshark-dev: Re: [Wireshark-dev] Adding my own dissector prevents others from running
From: Guy Harris <[email protected]>
Date: Tue, 12 Dec 2006 01:44:33 -0800
On Dec 12, 2006, at 12:34 AM, UsAaR33 wrote:

	I implemented the dissect function as per the template of
README.developer and am using new_create_dissector_handle to register my dissector. Indeed, the logic appears to be working - the packets that I
don't recognize as my own (invalid headers) are not dissected by my
dissector.  However, for some strange reason they are not being
dissected by the SMB dissector either - rather they are merely left as
Only one dissector can be registered for a particular port number; the  
last one registered wins (and one should think of "who wins" as random  
- it's actually predictable, but we don't guarantee we won't change  
it).  Yours is probably getting registered last.
Note also that the NetBIOS Session Service dissector, which is what  
normally registers for port 139, is *not* a heuristic or new-style  
dissector - it always accepts packets, so, even if multiple dissectors  
could be registered for a particular port number, if the NetBIOS  
Session Service dissector saw the packet first, no other dissector  
would get a chance.
	I suspect this is not a rare occurrence (though I couldn't find any
information about it on the web). Would anyone know how to ensure that
both my own - and the SMB - dissector can run?
Register as a heuristic dissector, reject all packets not for port  
139, reject all packets that your dissector doesn't recognize, and set  
the "Try heuristic sub-dissectors first" preference for the TCP  
dissector to "true".
Either that, or stop using a port that's already assigned to the  
NetBIOS Session Service for your protocol.