On Sep 30, 2009, at 1:21 PM, Alex Lindberg wrote:
> In my specific case, the custom protocol runs on the same TCP port
> as the h248 MEGACO protocol and relays custom information between a
> media gateway its controller.
>
> The custom protocol uses what I would call a "magic cookie" as the
> first 4 bytes following the tpkt part of the h248 message.
In other words, the answer to my question
Is it something in the contents of the packet, or is it a preference
setting, or is it something else?
is "it's something in the contents of the packet", so you should try
my suggestion:
One way to do this would be to make your dissector a heuristic
dissector, have it check for the port number and the unique condition
(if there's a match, dissect and return TRUE, otherwise return FALSE),
and set the TCP preference to run the heuristic dissectors first.
which would require no changes to Wireshark itself - you'd just have
to set that TCP preference.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
