 | 1 | initial version |
I think you're on the right track here, so there's some detail wrong (isn't it always).
What you call override, is something else. Think of the protocols in a stack. the Ethernet frame has a selector field (called several things based on value) indicating the rest is IPv4, the IPv4 header has a selector field (called protocol ID) indicating the rest is UDP, the UDP header has a field (called source / destination port) that can help determine the protocol in the UDP payload.
This last one is where your FOO dissector comes in. It registers itself to the UDP protocol port table, which means that once the UDP dissector has seen the source / destination port it tries to find a dissector that registered itself for that port number, so that it can hand the UDP payload to that dissector.
If your dissector is not called, first thing to verify is that the UDP dissector port table has indeed a registration for your dissector at the expected port number. You can find this in View | Internals | Dissector Tables. This dialog shows all tables, so you have to go look in the Integer tables, under the UDP port list, to see if your dissector is there under the expected port number.
Other details can be the UDP test packet, which needs the correct port number in it. The protocol need to be not disabled (obviously). Just to name a few.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
