Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Heuristic check of T.125 dissector

From: Thomas Wiens <th.wiens@xxxxxx>
Date: Sun, 23 Feb 2014 01:15:22 +0100
Hi,

I've written a wireshark dissector for communication between industrial
control systems, which come as payload of cotp packets.
But the packets are displayed as T.125 protocol, until I disable this
protocol in wireshark settings to get my own dissector working.
For myself I have no problem with this, but I have hosted this project
at sourceforge and there are other users of this plugin, so it would be
nice when it could be fixed.

I have checked the relevant source files for the T.125 dissector:
/asn1/t125/packet-t125-template.c

The first heuristic check is:
(ber_class==BER_CLASS_APP) && ((tag>=101) && (tag<=104)))

The first "ber" checking could not be the problem, because it checks
only the first byte of the cotp-payload, and my the first byte of my
protocol is always 0x32. And (0x32 >> 6) & 0x03 is not equal to
BER_CLASS_APP, which is 1.

So the second check (reminescence to Douglas Adams?) with the magical 42
comes in:
(choice_index <=42)

The check is marked with a comment:
/* is this strong enough ? */

And I would answer: No, it is not.

I've taken a look into the relevant source file "packet-per.c", where
"choice_index" is the function parameter "val".
But "val" is several times calculated, shifted and so on, that I don't
know what value comes out.

Is there a possibilitiy to make the heuristic check of the T.125
protocol stronger?

-- 
Thomas Wiens