How can a dissector deal with different versions of a protocol, when the versions can't really be distinguished from the data stream? The version number isn't available in the data stream or any associated control stream, and without the version number, it is often not possible to decode the data correctly. One way is to try to decode a set of possible versions, and to see which ones look reasonable, but this is very circuitous and prone to mistakes. Is there a way for a dissector to ask the user for this information? Thanks, Dirk De Schepper asked 14 Jul '13, 23:30  deschepper |
One Answer:
If there is no field in the protocol to indicate the protocol version and dissection for the packet is dependent on the protocol version, then you either need to use heuristics on (part of) the packet to determine the version or (if heuristics have a big chance on failing) use a protocol preference. A protocol preference gives the user the possibility to change the behavior of the protocol dissector by setting one or more preferences. Protocol version could be one of those preferences. See also: http://anonsvn.wireshark.org/viewvc/trunk/doc/README.dissector?revision=50557 paragraph 2.6 answered 14 Jul '13, 23:54  SYN-bit ♦♦ |
Then you can't actually have different dissector settings for different communication sessions you're monitoring? I guess it's the fault of the protocol for not providing version information... Thanks for the answer.
Nope, that is the downside if information in the packets is not enough to determine the protocol version...
You could use the "Decode As..." functionality to accomplish this if you register both versions of the dissector to the upper layer protocol (which must provide some method of distinguishing each session).
Could you share a tracefile (on www.cloudshark.org) with both versions of the protocol in it so we can have a look if this is feasible?