 | 1 | initial version |
It's most likely not DRDA which is a heuristic decoder.
epan/dissectors/packet-drda.c:
heur_dissector_add("tcp", dissect_drda_heur, "DRDA over TCP", "drda_tcp", proto_drda, HEURISTIC_ENABLE);
It's tough to confirm without a capture file. You can work through the code to see why your packets are a match.
epan/dissectors/packet-drda.c:
dissect_drda_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
conversation_t * conversation;
if (tvb_captured_length(tvb) >= 10)
{
/* The first header is 6 bytes long, so the length in the second header should 6 bytes less */
guint16 cOuterLength, cInnerLength;
cOuterLength = tvb_get_ntohs(tvb, 0);
cInnerLength = tvb_get_ntohs(tvb, 6);
if ((tvb_get_guint8(tvb, 2) == DRDA_MAGIC) && ((cOuterLength - cInnerLength) == 6))
{
/* Register this dissector for this conversation */
conversation = find_or_create_conversation(pinfo);
conversation_set_dissector(conversation, drda_tcp_handle);
/* Dissect the packet */
dissect_drda_tcp(tvb, pinfo, tree, data);
return TRUE;
}
}
return FALSE;
}
Disable DRDA (Analyze -> Enabled Protocols...) to see which dissector grabs it next.