This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP dissector being called on UDP

0

Hi,

I have two dissectors specified in different files. One TCP and the other UDP. The protocols I am dissecting both use the same magic, in TCP or in UDP. When opening a cap, during packet dissection it seems both dissectors are called on a UDP packet. In the output I get informations from the UDP dissector....and the TCP dissector.

How is that possible ? Each dissector is registered using the correct udp.port or tcp.port table. How can a dissector be triggered on a packet type it's not registered for ?

Stripped/Simplified code :

DISSECTOR_A = Proto ("DISSECTOR_A", "A udp Protocol")
-- register to handle udp port range
local function register_udp_port_range(start_port, end_port)
if not start_port or start_port <= 0 or not end_port or end_port <= 0 then
    return
end
udp_port_table = DissectorTable.get("udp.port")
for port = start_port,end_port do
    udp_port_table:add(port,DISSECTOR_A)
end
 end    
 register_udp_port_range(7400,65000)
 function DISSECTOR_A.dissector (buffer, pinfo, tree)
  subtree = tree:add (DISSECTOR_A, buffer())
  -- Modify columns
  pinfo.cols.protocol = DISSECTOR_A.name
  pinfo.cols.info = "PROTOCOL A"
  dissection etc etc
end

function DISSECTOR_A.init () packet_counter = 0 end

Other dissector :

 DISSECTOR_B = Proto ("DISSECTOR_B", "B tcp Protocol")

– register to handle tcp port range local function register_tcp_port_range(start_port, end_port) if not start_port or start_port <= 0 or not end_port or end_port <= 0 then return end tcp_port_table = DissectorTable.get("tcp.port") for port = start_port,end_port do tcp_port_table:add(port,DISSECTOR_B) end end
register_tcp_port_range(7400,65000)

function DISSECTOR_B.dissector (buffer, pinfo, tree) subtree = tree:add (DISSECTOR_B, buffer())

– Modify columns pinfo.cols.protocol = DISSECTOR_B.name pinfo.cols.info = "PROTOCOL B" end

function DISSECTOR_B.init () packet_counter = 0 end

Thanks

asked 02 Jan ‘14, 03:54

lepolac's gravatar image

lepolac
16446
accept rate: 0%

edited 02 Jan ‘14, 04:01