On Thu, Nov 29, 2012 at 12:44 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Nov 28, 2012, at 6:53 AM, Cristian Constantin <const.crist@xxxxxxxxxxxxxx> wrote:
>
>> what I do not understand is why are functions like:
>>
>> dissector_try_heuristic
>> guint8_pbrk
>> dissect_sip_common
>>
>> called since:
>>
>> 1. the sctp chunks do NOT contain the data of any application level protocol
>
> How is the SCTP dissector to know that except by checking all the heuristic dissectors registered with it? This includes the SIP dissector (which does the heuristic checking by calling dissect_sip_common() with the is_heur argument set to TRUE). That code tries to find a line ending and, if that fails, returns -2, which, in this case, is interpreted as "not SIP".
cristian: how do I turn this sip heuristics off globally (i.e. for all
the pcaps, all the transport level protocols)?
I mean, if:
* I want to see what happens _only_ at the sctp level in some huge pcaps
* I _know_ that there isn't any sip there (or I do not care about the
sip signalling)
why whould I want wireshark to heuristically try to parse sip messages?
>
>> 2. the ports used are NOT the default sip ports..
>
> SIP is registered as a heuristic dissector for UDP, TCP, and SCTP, so the port numbers don't matter. The whole point of registering a dissector as a heuristic dissector is so that it can be called even if there's no "protocol ID" field (a port field isn't a protocol ID field).
>
>> 3. in the Edit/Preferences/Protocols/SCTP window, _none_ of:
>> a. "Try heuristic sub-dissectors first"
>
> That's "first", i.e. "before the PPI/port dissectors", as opposed to "last", i.e. "after the PPI/port dissectors", not "first" as opposed to "not at all".
>
>> b. "Dissect upper layer protocols
>> are checked.
>
> Which version of Wireshark is this? In the top-of-trunk packet-sctp.c, if enable_ulp_dissection is FALSE, the heuristic dissectors and the PPI/port dissectors aren't called, so if "Dissect upper layer protocols" is un-checked (it defaults to TRUE, so you have to explicitly un-check it), those shouldn't be called.
cristian: wireshark 1.9.0 (SVN Rev 46217 from /trunk)
here is how enable_ulp_dissection looks like in packet-sctp.c:
static gboolean enable_ulp_dissection = TRUE;
>
>> otoh, why is it trying to dissect sip and not diameter for example??
>
> Because the Diameter dissector doesn't register itself as a heuristic dissector atop any protocol, while the SIP dissector, as noted above, registers itself as a heuristic dissector atop UDP, TCP, and SCTP.
cristian: how exactly does a dissector register itself as a "heuristic
dissector"? is anything else besides sip dissector registering itself
like this?
thanks a lot!
bye now!
cristian
