Bob Woods wrote:
I'm using version 0.10.6 and I can't seem to see any decode for DICOM.
I see it in the list of enabled protocols but I don't see it in the
decode list. I know I have a valid DICOM capture file because it
decodes in the Merge DPM. Could somebody please explain on how to view
the DICOM data.
The way to view the DICOM data is to make sure that the first packet in
the TCP connection with TCP payload:
has at least 10 bytes of TCP payload;
has 1 as the first of those bytes;
has 1 as the 7th byte;
has, as the length field starting with the 3rd byte, a value that, when
6 is added to it, is >= the amount of data in the TCP payload.
This is because the DICOM dissector is a "heuristic" dissector, meaning
that, instead of looking for traffic on a particular port, it is one of
a set of dissectors called for TCP packets regardless of the port
number. I infer that this is because there's no standard port number
for DICOM - I don't know whether that's the case.
This also means that if some *other* heuristic dissector accepts the
packet before the DICOM dissector is called, the packet won't be
recognized as a DICOM packet.
I infer from the code that "has 1 as the first of those bytes" means
that the first packet in the TCP connection must be an "ASSOC Request".
If that's not the case, the current DICOM dissector won't recognize
any of the packets in the connection.
