Wireshark-dev: Re: [Wireshark-dev] Dissector for a custom protocol which starts as HTTP
From: Peter Wu <[email protected]>
Date: Wed, 17 Apr 2019 09:56:38 +0100
Does your protocol use an Upgrade header? If so, you can register with the http.upgrade dissector table.

Search also for "upgrade" in https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-http.c

Once control is handed to http, I don't think you can change it. Protocols like SMTP that use STARTTLS do something like this:
- Protocol starts being decoded as SMTP
- SMTP signals STARTTLS, so SMTP calls into the TLS dissector to let it know that everything after this packet is TLS with SMTP embedded.
- Due to that call TLS becomes the conversation dissector, but because it had a special case for detecting where TLS actually starts, it will reject earlier traffic, giving others a chance to handle it.

See "last_nontls_frame" in
https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-tls.c
https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-tls-utils.c

Kind regards,
Peter
https://lekensteyn.nl
(pardon my brevity, top-posting and formatting, sent from my phone)


On April 16, 2019 10:20:46 PM GMT+01:00, David Ameiss <[email protected]> wrote:
>I've developed a dissector for a custom protocol used by my company.
>The 
>protocol starts out as HTTP, as in an HTTP GET, but after that uses the
>
>"custom" part - not HTTP at all.
>
>The problem I'm running into is that, once a conversation is identified
>
>by the HTTP dissector as being HTTP (due to the first message, which IS
>
>HTTP), it stays that way. My dissector isn't called. I've added my 
>dissector as a heuristic dissector for HTTP, but that doesn't seem to 
>help. And unfortunately (since subsequent packets are not HTTP) I don't
>
>have Content-Type to steer the packets my way.
>
>Subsequent packets appear as HTTP Continuation, BTW.
>
>Is there some way to tell HTTP not to treat following packets for that 
>conversation as HTTP, and to pass them to my dissector? Or a way to
>call 
>the HTTP dissector (from my dissector) for the first packet WITHOUT it 
>being "marked" as HTTP forever and ever?
>
>-- 
>David Ameiss
>[email protected]
>___________________________________________________________________________
>Sent via:    Wireshark-dev mailing list <[email protected]>
>Archives:    https://www.wireshark.org/lists/wireshark-dev
>Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>         mailto:[email protected]?subject=unsubscribe