Wireshark-dev: Re: [Wireshark-dev] How to avoid dissection based on port defined by a different
From: Christopher Maynard <[email protected]>
Date: Wed, 15 Dec 2010 21:46:34 +0000 (UTC)
Stephen Fisher <[email protected]> writes:

> > In addition to Christopher Maynard's suggestions, the surest way to 
> > fix it is to make both dissectors "new-style" so that they verify that 
> > the traffic on the port they're registered on (3503) is the right 
> > traffic they're expecting and kick it back to Wireshark so that 
> > another dissector can be tried....
> 
> I forgot to write:
> 
> ... if it isn't the right protocol for that dissector

The problem I have with this is that 3503 is registered to MPLS Echo so that
dissector shouldn't have to be changed to essentially become a heuristic one to
accommodate this port-stealing protocol.  It's essentially the same situation as
for bug 1946.  (See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1946) 
We ought to be able to rely on registered ports being reserved for data
applicable to the protocols intended to run atop those ports.  Granted 3503 is
not a so-called "well-known" port, so it differs a little bit from the DNS
situation, but it's basically the same thing.  If we accept this situation, then
potentially we have a lot of dissectors to convert to new-style, and that might
be a lot of work, depending on how extensive the heuristics get.  And then you
can always run into the case when the heuristics fail anyway.  (I say
potentially because I haven't tried to count how many dissectors would be
affected.  I suspect a lot though.)