Heuristic dissector not called
Hi,
I was wondering why my heuristic dissector was not being called (adwin_config). After setting "Try heuristic sub-dissectors first" in TCP-Settings, my dissector was called (took me a while to find that out...). Before setting the option "Try heuristic sub-dissectors first" the TCP payload was not dissected by any dissector (at least, wireshark did not display anything for the payload).
So does "Try heuristic sub-dissectors first" basically disable heuristic dissectors completely? That is not, what the name suggests. How can I find out why my dissector is not being called?
Regards, Thomas
We would need to know what TCP port the traffic is on in order to see what other dissectors may be involved.
It is port 7000, wireshark shows "afs3-fileserver" but I guess that is just taken from /etc/services and not from another dissector.
Actually, the packet-afs dissector seems to handle TCP traffic on 7000, but since it cannot decode anything, it does not add anything to the protocol tree. Maybe my dissector would be called, it the afs dissector would "fail" properly for unknown content.
Where does it show that. As an interpretation of the TCP port number, or in the protocol column, or elsewhere. Please be specific.
As for the behaviour of the AFS dissector, there have been improvements in the way dissectors can report their acceptance or rejection of packets. Not all dissectors make use of these methods though, hence may stand in the way of other dissectors. What would be a possibility is to disable the AFS dissector and see what happens then.
Sorry for being too unspecific. afs3-fileserver is just the interpretation of the TCP port number. It does not show up in the protocol column. Even after I disabled "AFS (RX)", my dissector is not called, unless "Try heuristic sub-dissectors first" is set. How do I find out which dissector "eats" my packets?
I have uploaded a sample capture file, if that helps:
https://www.adwin-downloads.de/Bootlo...
Try disabling the 'Gryphon' dissector instead.