>The heuristic for SIP doesn't do any validation before passing the data to the main SIP dissector: >https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-sip.c#L3398 <https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-sip.c#L3398>
Yes, thank you for pointing out where it happens, pretty thin-layer of heuristics, indeed ;-). > You could disable protocol "sip_udp" to prevent it from being called. We cannot, as this would disable it over well-known UDP port 5060 as well and there we would like to keep it. Instead of all these contortions why not to introduce the logic matching the one for TCP ports ? Seems pretty natural and general to me. Kind Regards Ariel Burbaickij On Tue, Nov 29, 2022 at 4:43 PM chuck c <bubbas...@gmail.com> wrote: > The heuristic for SIP doesn't do any validation before passing the data to > the main SIP dissector: > > https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-sip.c#L3398 > > You could disable protocol "sip_udp" to prevent it from being called. > > Or if you would like to test a development build (4.1.0rc0) > https://www.wireshark.org/download/automated/, it is possible to set > "Decode as..." for a UDP Port to the "Data" dissector. > > 11.4.2. User Specified Decodes > https://www.wireshark.org/docs/wsug_html/#ChAdvDecodeAs > > Unable to disable decoding > https://gitlab.com/wireshark/wireshark/-/issues/12098 > > decode as: Add data dissector to all tables that support Decode As > https://gitlab.com/wireshark/wireshark/-/merge_requests/7180 > > On Tue, Nov 29, 2022 at 8:08 AM Ariel Burbaickij < > ariel.burbaic...@gmail.com> wrote: > >> Hello Jaap, all, >> nothing there as well. >> >> Kind Regards >> Ariel Burbaickij >> >> On Mon, Nov 28, 2022 at 9:23 PM Jaap Keuter <jaap.keu...@xs4all.nl> >> wrote: >> >>> Hi, >>> >>> Have you looked at the table in Analyse | Decode As... ? >>> >>> Thanks, >>> Jaap >>> >>> > On 28 Nov 2022, at 16:51, Ariel Burbaickij <ariel.burbaic...@gmail.com> >>> wrote: >>> > >>> > Hello all, >>> > we observe that wireshark correctly decodes SIP over non-standard UPD >>> port, even where it is undesirable for our purposes in this case. All >>> options that we are aware of that would control such behaviour like trying >>> heuristic dissectors are on OFF. So, how is it done (analyzing the text >>> behind the UDP header?) and how can it be prevented ? >>> > >>> > Kind Regards >>> > Ariel Burbaickij >>> > >>> > >>> >>> ___________________________________________________________________________ >>> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org >>> > >>> Archives: https://www.wireshark.org/lists/wireshark-users >>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users >>> mailto:wireshark-users-requ...@wireshark.org >>> ?subject=unsubscribe >>> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> >> Archives: https://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users >> mailto:wireshark-users-requ...@wireshark.org >> ?subject=unsubscribe >> > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
