Heuristic dissector not called
Hi,
I was wondering why my heuristic dissector was not being called (adwin_config). After setting "Try heuristic sub-dissectors first" in TCP-Settings, my dissector was called (took me a while to find that out...). Before setting the option "Try heuristic sub-dissectors first" the TCP payload was not dissected by any dissector (at least, wireshark did not display anything for the payload).
So does "Try heuristic sub-dissectors first" basically disable heuristic dissectors completely? That is not, what the name suggests. How can I find out why my dissector is not being called?
Regards, Thomas
We would need to know what TCP port the traffic is on in order to see what other dissectors may be involved.
It is port 7000, wireshark shows "afs3-fileserver" but I guess that is just taken from /etc/services and not from another dissector.
Actually, the packet-afs dissector seems to handle TCP traffic on 7000, but since it cannot decode anything, it does not add anything to the protocol tree. Maybe my dissector would be called, it the afs dissector would "fail" properly for unknown content.
Where does it show that. As an interpretation of the TCP port number, or in the protocol column, or elsewhere. Please be specific.
As for the behaviour of the AFS dissector, there have been improvements in the way dissectors can report their acceptance or rejection of packets. Not all dissectors make use of these methods though, hence may stand in the way of other dissectors. What would be a possibility is to disable the AFS dissector and see what happens then.
Sorry for being too unspecific. afs3-fileserver is just the interpretation of the TCP port number. It does not show up in the protocol column. Even after I disabled "AFS (RX)", my dissector is not called, unless "Try heuristic sub-dissectors first" is set. How do I find out which dissector "eats" my packets?
I have uploaded a sample capture file, if that helps:
https://www.adwin-downloads.de/Bootlo...
Try disabling the 'Gryphon' dissector instead.
Excellent! It was indeed the gryphon dissector. I grepped through the whole epan directory for 7000, but I missed the plugin directory. Is there a "best practice" or "debug output" for finding out which dissector was called for a certain packet?
Since port 7000 is neither IANA registered for gryphon nor adwin_config, I guess the best solution in this case would be to change the gryphon dissector to a heuristic dissector? Or could the gryphon plugin be modified to "fail" properly for unknown content without being a heuristic dissector?
View | Internals | Dissector tables
Look in the Integer Tables, at the TCP port table
Jaap, thanks for all your very helpful answers. I would never have found those dissector tables... Will probably be helpful in the future.
I looked into the gryphon protocol and dissector, there seem to be many positions in the header with very few possible values. I think it would be easy to let the gryphon dissector fail properly. My question is: can this be done with a normal dissector or do I need to convert to a heuristic dissector?