This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using UDP dest port as dissector handoff

0
1

Hi, I am working on a dissector but I'm having trouble performing the handoff correctly. The packet in question is tunneled so I need to perform the handoff after the external headers. Right now I was able to get it to work by using the UDP dest port as a trigger, but I am wondering if that is a safe way to do it. Will any traffic going to the same UDP dest port be analyzed using this dissector then (including packets I may not want)?

dissector_add_uint("udp.port", 8099, juniper_vn_handle);

asked 11 Jul '16, 11:58

asetia's gravatar image

asetia
11124
accept rate: 0%


One Answer:

1
Will any traffic going to the same UDP dest port be analyzed using this dissector then (including packets I may not want)?

Yes, that would be the case. There is not concept of how much layering is applied then selecting the dissector (as you have noticed by the lack of any API parameter for this).

That stems from the fact the port numbers are/were intended to identify specific services at the various network hosts. Many still are present at their well known port numbers, but many more are present at the higher numbers. This is such a case. Therefor it's inevitable 'foreign protocol' may enter via this port number into your dissector.

There are two ways about it:

  1. Setting up a conversation (based on IP addresses, port numbers and transport layer protocol)
  2. Make a heuristic dissector (which determines on the start of the packet if the packet is indeed the of the expected protocol)

answered 11 Jul '16, 14:28

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%