Wireshark-dev: [Wireshark-dev] Conflict between LISP control and LISP data dissectors
From: Lori Jakab <[email protected]>
Date: Thu, 2 May 2013 17:09:32 +0300

There is a special "LISP Control" packet type, where the UDP source port is the one registered for "LISP Data" and the UDP destination port is "LISP Control" (4341 and 4342 respectively).  Wireshark dissects this packet as "LISP Data" which leads to incorrect dissection.  While "LISP Control" can have the port number 4342 as both source and destination, for "LISP Data" 4341 is always the destination port.  However, the way the dissector table works, AFAIK, you cannot register a dissector for a destination port only, (something like "udp.dstport") which would solve my problem.

Additionally, I looked at the generated epan/dissectors/register.c, where the "LISP Control" dissector comes before "LISP Data", yet, when both ports are present in the UDP header, the packet gets dissected as "LISP Data".

I would really like to avoid using heuristic dissectors here, since the protocol uses well known ports, and there is only one packet type where there is UDP port clash.  Is there any way to solve this issue in such a way, that users don't need to make any extra settings, i.e., it would work as expected out of the box when Wireshark is installed?