I've developed a very simple heuristic dissector for a proprietary protocol using Wireshark 1.6.8. It works flawlessly and the heuristics identify the payload on top of TCP. The same sources compile fine with Wireshark 1.8.4 but Wireshark appears to be unable to identify the payload. The frames are identified if and only if I force it with 'Dissect as..'. I've added some printf to the dissector function and they never show up unless I use "Dissect as...". I've also checked that "Analyze / Enabled Protocols" has my protocol enabled. What could be the problem? asked 17 Dec '12, 07:02  Rafa |
One Answer:
What are the frames in question actually identified as ? A different protocol (which is also identified heuristically) ? If so, does disabling that protocol help ? answered 17 Dec '12, 07:15  Bill Meier ♦♦ |
They are identified as TCP and I have the heuristic dissector chained to TCP: heur_dissector_add("tcp", dissect_blah_heur, proto_blah);
In theory, heuristic dissectors chained to TCP are called in turn until one indicates that it can dissect the data.
If your dissector is not being called, then either some other heuristic dissector has grabbed the frame or the frame has been grabbed by a dissector based on the TCP port being used.
Since "Decode As" works, it seems to me that another dissector must have grabbed the frame.
In either case I would have expected that that dissector would show as being over TCP in the details pane.
What happens if you set the "Try heuristic sub-dissectors first" TCP preference ?
Thank you, that was the problem. That preference was set in Wireshark 1.6 but not in 1.8 although this is the first time I have played with the TCP preferences.