All-
We had a user complain about one of our (private) dissectors not
working. I wanted to verify my understanding of what we see...
In my plugin registration I use:
dissector_add("tcp.port", EPS_PORT, eps_handle);
EPS_PORT is our registered port, 3567.
The reported behavior is that a TCP session from port 2424 -> 3567 was
not using our dissector. As it turns out, 2424 is registered to TPNCP in
packet-tpncp.c. This leads me to questions about the prioritization
given to different dissectors. Could someone in the know enlighten me?
Q: Does "dissector_add" differentiate between src and dst port? [I think
not, the registration is by name and the dissector (TCP) chooses how to
use it.]
Q: Does wireshark prioritize between built-in vs. plugin dissectors? [I
think not.]
Q: Does wireshark prioritize between dissectors based on matches on src
vs. dst port?
My fundamental issue is that I would expect that priority be given to
the dissector on the *server* (dst) port, as it is the more likely to be
standardized vs. ephemeral.
As a sanity check, disabling the TPNCP protocol and reloading the trace
file correctly uses my dissector for the traffic in question.
Thanks for your answers...
-Bryant
Panasonic Electric Works Laboratory of America - SLC Lab
4525 So. Wasatch Blvd., Suite 100, 84124
Salt Lake City, UT 84124
T 801.993.7124
F 801.993.7269
[email protected]
Bryant Eastham
Chief Architect
<<image001.gif>>
<<image002.png>>
<<image003.png>>
<<image004.gif>>
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
