Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

It's most likely not DRDA which is a heuristic decoder.


heur_dissector_add("tcp", dissect_drda_heur, "DRDA over TCP", "drda_tcp", proto_drda, HEURISTIC_ENABLE);

It's tough to confirm without a capture file. You can work through the code to see why your packets are a match.

dissect_drda_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
    conversation_t * conversation;
    if (tvb_captured_length(tvb) >= 10)
        /* The first header is 6 bytes long, so the length in the second header should 6 bytes less */
        guint16 cOuterLength, cInnerLength;
        cOuterLength = tvb_get_ntohs(tvb, 0);
        cInnerLength = tvb_get_ntohs(tvb, 6);
        if ((tvb_get_guint8(tvb, 2) == DRDA_MAGIC) && ((cOuterLength - cInnerLength) == 6))
            /* Register this dissector for this conversation */
            conversation = find_or_create_conversation(pinfo);
            conversation_set_dissector(conversation, drda_tcp_handle);

            /* Dissect the packet */
            dissect_drda_tcp(tvb, pinfo, tree, data);
            return TRUE;
    return FALSE;

Disable DRDA (Analyze -> Enabled Protocols...) to see which dissector grabs it next.