The heuristic for SIP doesn't do any validation before passing the data to the main SIP dissector: https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-sip.c#L3398
You could disable protocol "sip_udp" to prevent it from being called. Or if you would like to test a development build (4.1.0rc0) https://www.wireshark.org/download/automated/, it is possible to set "Decode as..." for a UDP Port to the "Data" dissector. 11.4.2. User Specified Decodes https://www.wireshark.org/docs/wsug_html/#ChAdvDecodeAs Unable to disable decoding https://gitlab.com/wireshark/wireshark/-/issues/12098 decode as: Add data dissector to all tables that support Decode As https://gitlab.com/wireshark/wireshark/-/merge_requests/7180 On Tue, Nov 29, 2022 at 8:08 AM Ariel Burbaickij <ariel.burbaic...@gmail.com> wrote: > Hello Jaap, all, > nothing there as well. > > Kind Regards > Ariel Burbaickij > > On Mon, Nov 28, 2022 at 9:23 PM Jaap Keuter <jaap.keu...@xs4all.nl> wrote: > >> Hi, >> >> Have you looked at the table in Analyse | Decode As... ? >> >> Thanks, >> Jaap >> >> > On 28 Nov 2022, at 16:51, Ariel Burbaickij <ariel.burbaic...@gmail.com> >> wrote: >> > >> > Hello all, >> > we observe that wireshark correctly decodes SIP over non-standard UPD >> port, even where it is undesirable for our purposes in this case. All >> options that we are aware of that would control such behaviour like trying >> heuristic dissectors are on OFF. So, how is it done (analyzing the text >> behind the UDP header?) and how can it be prevented ? >> > >> > Kind Regards >> > Ariel Burbaickij >> > >> > >> >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> >> Archives: https://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users >> mailto:wireshark-users-requ...@wireshark.org >> ?subject=unsubscribe >> > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
