[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-dev
Subject:    Re: [Wireshark-dev] Two dissectors on same TCP port?
From:       Guy Harris <guy () alum ! mit ! edu>
Date:       2009-09-30 20:59:46
Message-ID: 528D4C78-9DE7-46DD-B5B9-47CFA3DEE73D () alum ! mit ! edu
[Download RAW message or body]


On Sep 30, 2009, at 1:21 PM, Alex Lindberg wrote:

> In my specific case, the custom protocol runs on the same TCP port  
> as the h248 MEGACO protocol and relays custom information between a  
> media gateway its controller.
>
> The custom protocol uses what I would call a "magic cookie" as the  
> first 4 bytes following the tpkt part of the h248 message.

In other words, the answer to my question

	Is it something in the contents of the packet, or is it a preference  
setting, or is it something else?

is "it's something in the contents of the packet", so you should try  
my suggestion:

	One way to do this would be to make your dissector a heuristic  
dissector, have it check for the port number and the unique condition  
(if there's a match, dissect and return TRUE, otherwise return FALSE),  
and set the TCP preference to run the heuristic dissectors first.

which would require no changes to Wireshark itself - you'd just have  
to set that TCP preference.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]