Wireshark mailing list archives
Re: How to avoid dissection based on port defined by a different dissector?
From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Wed, 15 Dec 2010 17:51:18 -0500
Christopher Maynard wrote:
Stephen Fisher <steve@...> writes:In addition to Christopher Maynard's suggestions, the surest way to fix it is to make both dissectors "new-style" so that they verify that the traffic on the port they're registered on (3503) is the right traffic they're expecting and kick it back to Wireshark so that another dissector can be tried....I forgot to write: ... if it isn't the right protocol for that dissectorThe problem I have with this is that 3503 is registered to MPLS Echo so that dissector shouldn't have to be changed to essentially become a heuristic one to accommodate this port-stealing protocol. It's essentially the same situation as for bug 1946. (See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1946) We ought to be able to rely on registered ports being reserved for data applicable to the protocols intended to run atop those ports. Granted 3503 is not a so-called "well-known" port, so it differs a little bit from the DNS situation, but it's basically the same thing. If we accept this situation, then potentially we have a lot of dissectors to convert to new-style, and that might be a lot of work, depending on how extensive the heuristics get. And then you can always run into the case when the heuristics fail anyway. (I say potentially because I haven't tried to count how many dissectors would be affected. I suspect a lot though.)
Well, I agree that protocols "shouldn't" steal ports. But they do. It's Not Right, but should Wireshark be limited to what is Right or what is Reality? (In other words, should the goal be for it to "just work?") For example, even when protocols don't steal ports, administrators steal/reuse ports: how often do you see web servers on something other than port 80? Okay, maybe not that often on the Internet, but I can probably find dozens of examples at work. My opinion has been: if Wireshark can figure it out (e.g., heuristically), let's try to do it. I don't think we'll ever be done, but we can keep improving. (Well, except when we can't because we can't come up with good enough heuristics, but that's another story...) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- How to avoid dissection based on port defined by a different dissector? eymanm (Dec 15)
- Re: [Wireshark-dev] How to avoid dissection based on port defined by a different dissector? Christopher Maynard (Dec 15)
- Re: How to avoid dissection based on port defined by a different dissector? Stephen Fisher (Dec 15)
- Re: How to avoid dissection based on port defined by a different dissector? Stephen Fisher (Dec 15)
- Re: How to avoid dissection based on port defined by a different dissector? Christopher Maynard (Dec 15)
- Re: How to avoid dissection based on port defined by a different dissector? Jeff Morriss (Dec 15)
- Re: How to avoid dissection based on port defined by a different dissector? Dirk Jagdmann (Dec 15)
- Re: How to avoid dissection based on port defined by a different dissector? Stephen Fisher (Dec 16)
- Re: How to avoid dissection based on port defined by a different dissector? Guy Harris (Dec 15)
- Re: [Wireshark-dev] How to avoid dissection based on port defined by a different dissector? Chris Maynard (Dec 15)
- Re: How to avoid dissection based on port defined by a different dissector? Guy Harris (Dec 15)
- Re: How to avoid dissection based on port defined by a different dissector? Dirk Jagdmann (Dec 15)
- Re: How to avoid dissection based on port defined by a different dissector? Jeff Morriss (Dec 16)
- Re: How to avoid dissection based on port defined by a different dissector? Stephen Fisher (Dec 15)
- Re: How to avoid dissection based on port defined by a different dissector? Stephen Fisher (Dec 16)