Wireshark-dev: [Wireshark-dev] sctp & heuristic dissecting
From: Cristian Constantin <const.crist@xxxxxxxxxxxxxx>
Date: Wed, 28 Nov 2012 15:53:58 +0100
hi! I have used oprofile for profiling loading a pretty large sctp capture. the sctp chunks are filled with zeroes (i.e. there is NO application protocol involved) here is the main part of the call trace: CPU: AMD64 family10, speed 3e+06 MHz (estimated) Counted CPU_CLK_UNHALTED events (Cycles outside of halt state) with a unit mask of 0x00 (No unit mask) count 750000 samples % image name symbol name 10063 30.1351 libwireshark.so.0.0.0 guint8_pbrk 1211 3.6265 libwireshark.so.0.0.0 compute_offset_length 952 2.8509 libwireshark.so.0.0.0 dissect_ip 885 2.6503 libwireshark.so.0.0.0 fast_ensure_contiguous 813 2.4346 libwireshark.so.0.0.0 tap_push_tapped_queue 691 2.0693 libwireshark.so.0.0.0 call_dissector_work 631 1.8896 libwireshark.so.0.0.0 dissect_packet 624 1.8687 libwireshark.so.0.0.0 dissect_frame 612 1.8327 libwireshark.so.0.0.0 ethertype 588 1.7608 libwireshark.so.0.0.0 check_offset_length_no_exception 578 1.7309 libwireshark.so.0.0.0 dissect_sctp_packet 563 1.6860 libwireshark.so.0.0.0 dissect_sctp_chunk 507 1.5183 libwireshark.so.0.0.0 tvb_reported_length_remaining 500 1.4973 libwireshark.so.0.0.0 emem_alloc_chunk 486 1.4554 libwireshark.so.0.0.0 except_setup_try 459 1.3745 libwireshark.so.0.0.0 call_dissector_through_handle 426 1.2757 libwireshark.so.0.0.0 in_cksum 410 1.2278 libwireshark.so.0.0.0 tvb_new_subset 409 1.2248 libwireshark.so.0.0.0 dissector_try_uint_new 401 1.2009 libwireshark.so.0.0.0 dissector_try_heuristic 381 1.1410 libwireshark.so.0.0.0 dissect_eth_common 325 0.9733 libwireshark.so.0.0.0 tvb_length_remaining 325 0.9733 libwireshark.so.0.0.0 tvb_new 319 0.9553 libwireshark.so.0.0.0 tvb_get_ntohl 311 0.9313 libwireshark.so.0.0.0 tvb_get_ntohs 302 0.9044 libwireshark.so.0.0.0 dissect_data_chunk 298 0.8924 libwireshark.so.0.0.0 tap_build_interesting 293 0.8774 libwireshark.so.0.0.0 tvb_get_guint8 273 0.8175 libwireshark.so.0.0.0 ensure_contiguous 269 0.8056 libwireshark.so.0.0.0 dissect_sctp 269 0.8056 libwireshark.so.0.0.0 dissect_vlan 251 0.7517 libwireshark.so.0.0.0 col_append_fstr 251 0.7517 libwireshark.so.0.0.0 dissector_try_uint 249 0.7457 libwireshark.so.0.0.0 col_set_str 239 0.7157 libwireshark.so.0.0.0 ensure_contiguous_no_exception 214 0.6409 libwireshark.so.0.0.0 emem_free_all 213 0.6379 libwireshark.so.0.0.0 epan_dissect_run_with_taps 203 0.6079 libwireshark.so.0.0.0 dissect_sip_common what I do not understand is why are functions like: dissector_try_heuristic guint8_pbrk dissect_sip_common called since: 1. the sctp chunks do NOT contain the data of any application level protocol 2. the ports used are NOT the default sip ports.. 3. in the Edit/Preferences/Protocols/SCTP window, _none_ of: a. "Try heuristic sub-dissectors first" b. "Dissect upper layer protocols are checked. otoh, why is it trying to dissect sip and not diameter for example?? thanks! cristian
- Follow-Ups:
- Re: [Wireshark-dev] sctp & heuristic dissecting
- From: Guy Harris
- Re: [Wireshark-dev] sctp & heuristic dissecting
- Prev by Date: [Wireshark-dev] Enhance checkapi to check for non NULL terminated enum preferenses (enum_val_t)
- Next by Date: [Wireshark-dev] Wireshark 1.8.4 is now available
- Previous by thread: Re: [Wireshark-dev] Enhance checkapi to check for non NULL terminated enum preferenses (enum_val_t)
- Next by thread: Re: [Wireshark-dev] sctp & heuristic dissecting
- Index(es):
- Get Wireshark
- Download
- Code of Conduct