This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I've developed a very simple heuristic dissector for a proprietary protocol using Wireshark 1.6.8. It works flawlessly and the heuristics identify the payload on top of TCP.

The same sources compile fine with Wireshark 1.8.4 but Wireshark appears to be unable to identify the payload. The frames are identified if and only if I force it with 'Dissect as..'.

I've added some printf to the dissector function and they never show up unless I use "Dissect as...". I've also checked that "Analyze / Enabled Protocols" has my protocol enabled.

What could be the problem?

asked 17 Dec '12, 07:02

Rafa's gravatar image

Rafa
6113
accept rate: 0%


What are the frames in question actually identified as ?

A different protocol (which is also identified heuristically) ?

If so, does disabling that protocol help ?

permanent link

answered 17 Dec '12, 07:15

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

They are identified as TCP and I have the heuristic dissector chained to TCP: heur_dissector_add("tcp", dissect_blah_heur, proto_blah);

(17 Dec '12, 07:22) Rafa
2

In theory, heuristic dissectors chained to TCP are called in turn until one indicates that it can dissect the data.

If your dissector is not being called, then either some other heuristic dissector has grabbed the frame or the frame has been grabbed by a dissector based on the TCP port being used.

Since "Decode As" works, it seems to me that another dissector must have grabbed the frame.

In either case I would have expected that that dissector would show as being over TCP in the details pane.

What happens if you set the "Try heuristic sub-dissectors first" TCP preference ?

(17 Dec '12, 19:02) Bill Meier ♦♦

Thank you, that was the problem. That preference was set in Wireshark 1.6 but not in 1.8 although this is the first time I have played with the TCP preferences.

(18 Dec '12, 01:10) Rafa
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×637
×10

question asked: 17 Dec '12, 07:02

question was seen: 2,217 times

last updated: 18 Dec '12, 01:10

p​o​w​e​r​e​d by O​S​Q​A