Does your protocol use an Upgrade header? If so, you can register with the http.upgrade dissector table.
Search also for "upgrade" in https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-http.c Once control is handed to http, I don't think you can change it. Protocols like SMTP that use STARTTLS do something like this: - Protocol starts being decoded as SMTP - SMTP signals STARTTLS, so SMTP calls into the TLS dissector to let it know that everything after this packet is TLS with SMTP embedded. - Due to that call TLS becomes the conversation dissector, but because it had a special case for detecting where TLS actually starts, it will reject earlier traffic, giving others a chance to handle it. See "last_nontls_frame" in https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-tls.c https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-tls-utils.c Kind regards, Peter https://lekensteyn.nl (pardon my brevity, top-posting and formatting, sent from my phone) On April 16, 2019 10:20:46 PM GMT+01:00, David Ameiss <netsh...@ameissnet.com> wrote: >I've developed a dissector for a custom protocol used by my company. >The >protocol starts out as HTTP, as in an HTTP GET, but after that uses the > >"custom" part - not HTTP at all. > >The problem I'm running into is that, once a conversation is identified > >by the HTTP dissector as being HTTP (due to the first message, which IS > >HTTP), it stays that way. My dissector isn't called. I've added my >dissector as a heuristic dissector for HTTP, but that doesn't seem to >help. And unfortunately (since subsequent packets are not HTTP) I don't > >have Content-Type to steer the packets my way. > >Subsequent packets appear as HTTP Continuation, BTW. > >Is there some way to tell HTTP not to treat following packets for that >conversation as HTTP, and to pass them to my dissector? Or a way to >call >the HTTP dissector (from my dissector) for the first packet WITHOUT it >being "marked" as HTTP forever and ever? > >-- >David Ameiss >netsh...@ameissnet.com >___________________________________________________________________________ >Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >Archives: https://www.wireshark.org/lists/wireshark-dev >Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
