HTTPS traffic on TCP port 8085 is wrongly detected as WOWW
Summary
A packet capture from a custom HTTPS (HTTP/2) server on port 8085 was no longer detected as TLS and was instead decoded as WOWW. This was fine in Wireshark 3.4 and changed on the development version (3.6rc) since !3707 (merged) (part of #17481).
TCP port 8085 is unassigned with IANA: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=8085
Is it possible to do one of:
- Do no register the protocol by default on the port. Change
the WOWW_CLIENT_TO_SERVER
macro to assume the lower port number to be the server port. That assumes that client ports are often chosen from the higher ephemeral port ranges. One can use additional heuristics during the handshake to recognize whether a packet is from a client/server if needed. - During dissection, if one encounters a clearly invalid packet, return 0 from the dissector to reject it. That would allow the HTTP dissector to kick in.
Steps to reproduce
Load a packet capture with HTTPS in TCP port 8085.
What is the current bug behavior?
Traffic is wrongly detected as WOWW.
What is the expected correct behavior?
Traffic is dissected as TLS (and due to the ALPN, the application data is decrypted as HTTP/2).
Sample capture file
(no sample, can create one if desired.)
Build information
Current git master.
Edited by Peter Wu