In my specific case, the custom protocol runs on the same TCP port as the h248 MEGACO protocol and relays custom information between a media gateway its controller.
The custom protocol uses what I would call a "magic cookie" as the first 4 bytes following the tpkt part of the h248 message. These bytes are chosen because they would never appear if the data contained was true h248. At the moment, I have added code to the h.248 dissector to check for this byte stream and call the custom dissector if they are detected. I would suppose that code could be added to packet-h248.c that would look for true h248 data. If not found, return all data back to wireshark. This might be a good thing anyhow. If this approach where followed, would wireshark then look for any other registered dissectors that on the h248 port? Thanks for your assistance. Alex Lindberg --- On Wed, 9/30/09, Guy Harris <[email protected]> wrote: From: Guy Harris <[email protected]> Subject: Re: [Wireshark-dev] Two dissectors on same TCP port? To: "Developer support list for Wireshark" <[email protected]> Date: Wednesday, September 30, 2009, 1:43 PM On Sep 30, 2009, at 11:30 AM, Alex Lindberg wrote: > I am creating a custom dissector that runs on a TCP port already > covered by one of the standard dissectors. > > How do can I overload the dissector registration so that if the > unique condistion exist for my custom dissector my dissector will be > used, otherwise pass control back to Wireshark? What is the unique condition? Is it something in the contents of the packet, or is it a preference setting, or is it something else? One way to do this would be to make your dissector a heuristic dissector, have it check for the port number and the unique condition (if there's a match, dissect and return TRUE, otherwise return FALSE), and set the TCP preference to run the heuristic dissectors first. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
