Open an enhancement request: https://wiki.wireshark.org/WishList
Helps if you can attach a sample capture file. On Wed, Nov 30, 2022 at 2:33 AM Ariel Burbaickij <ariel.burbaic...@gmail.com> wrote: > >The heuristic for SIP doesn't do any validation before passing the data > to the main SIP dissector: > > >https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-sip.c#L3398 > <https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-sip.c#L3398> > > Yes, thank you for pointing out where it happens, pretty thin-layer of > heuristics, indeed ;-). > > > You could disable protocol "sip_udp" to prevent it from being called. > We cannot, as this would disable it over well-known UDP port 5060 as well > and there we would like to keep it. > > Instead of all these contortions why not to introduce the logic matching > the one for TCP ports ? Seems pretty natural and general to me. > > Kind Regards > Ariel Burbaickij > > > On Tue, Nov 29, 2022 at 4:43 PM chuck c <bubbas...@gmail.com> wrote: > >> The heuristic for SIP doesn't do any validation before passing the data >> to the main SIP dissector: >> >> https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-sip.c#L3398 >> >> You could disable protocol "sip_udp" to prevent it from being called. >> >> Or if you would like to test a development build (4.1.0rc0) >> https://www.wireshark.org/download/automated/, it is possible to set >> "Decode as..." for a UDP Port to the "Data" dissector. >> >> 11.4.2. User Specified Decodes >> https://www.wireshark.org/docs/wsug_html/#ChAdvDecodeAs >> >> Unable to disable decoding >> https://gitlab.com/wireshark/wireshark/-/issues/12098 >> >> decode as: Add data dissector to all tables that support Decode As >> https://gitlab.com/wireshark/wireshark/-/merge_requests/7180 >> >> On Tue, Nov 29, 2022 at 8:08 AM Ariel Burbaickij < >> ariel.burbaic...@gmail.com> wrote: >> >>> Hello Jaap, all, >>> nothing there as well. >>> >>> Kind Regards >>> Ariel Burbaickij >>> >>> On Mon, Nov 28, 2022 at 9:23 PM Jaap Keuter <jaap.keu...@xs4all.nl> >>> wrote: >>> >>>> Hi, >>>> >>>> Have you looked at the table in Analyse | Decode As... ? >>>> >>>> Thanks, >>>> Jaap >>>> >>>> > On 28 Nov 2022, at 16:51, Ariel Burbaickij < >>>> ariel.burbaic...@gmail.com> wrote: >>>> > >>>> > Hello all, >>>> > we observe that wireshark correctly decodes SIP over non-standard UPD >>>> port, even where it is undesirable for our purposes in this case. All >>>> options that we are aware of that would control such behaviour like trying >>>> heuristic dissectors are on OFF. So, how is it done (analyzing the text >>>> behind the UDP header?) and how can it be prevented ? >>>> > >>>> > Kind Regards >>>> > Ariel Burbaickij >>>> > >>>> > >>>> >>>> ___________________________________________________________________________ >>>> Sent via: Wireshark-users mailing list < >>>> wireshark-users@wireshark.org> >>>> Archives: https://www.wireshark.org/lists/wireshark-users >>>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users >>>> mailto:wireshark-users-requ...@wireshark.org >>>> ?subject=unsubscribe >>>> >>> >>> ___________________________________________________________________________ >>> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org >>> > >>> Archives: https://www.wireshark.org/lists/wireshark-users >>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users >>> mailto:wireshark-users-requ...@wireshark.org >>> ?subject=unsubscribe >>> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> >> Archives: https://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users >> mailto:wireshark-users-requ...@wireshark.org >> ?subject=unsubscribe >> > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe