Wireshark-dev: [Wireshark-dev] Question about port registrations
|
All- We had a user complain about one of our (private) dissectors
not working. I wanted to verify my understanding of what we see… In my plugin registration I use: dissector_add(“tcp.port”, EPS_PORT, eps_handle); EPS_PORT is our registered port, 3567. The reported behavior is that a TCP session from port 2424
-> 3567 was not using our dissector. As it turns out, 2424 is registered to
TPNCP in packet-tpncp.c. This leads me to questions about the prioritization
given to different dissectors. Could someone in the know enlighten me? Q: Does “dissector_add” differentiate between src
and dst port? [I think not, the registration is by name and the dissector (TCP)
chooses how to use it.] Q: Does wireshark prioritize between built-in vs. plugin
dissectors? [I think not.] Q: Does wireshark prioritize between dissectors based on
matches on src vs. dst port? My fundamental issue is that I would expect that priority be
given to the dissector on the *server* (dst) port, as it is the more likely
to be standardized vs. ephemeral. As a sanity check, disabling the TPNCP protocol and
reloading the trace file correctly uses my dissector for the traffic in
question. Thanks for your answers… -Bryant
| ||||||||||||
- Follow-Ups:
- Re: [Wireshark-dev] Question about port registrations
- From: Guy Harris
- Re: [Wireshark-dev] Question about port registrations
- Prev by Date: Re: [Wireshark-dev] Packet visualization question
- Next by Date: Re: [Wireshark-dev] Question about port registrations
- Previous by thread: Re: [Wireshark-dev] Packet visualization question
- Next by thread: Re: [Wireshark-dev] Question about port registrations
- Index(es):
- Get Wireshark
- Download
- Code of Conduct