tcpdump mailing list archives
Re: tcpdump display/decode bug?
From: Stephen Donnelly <stephen () endace com>
Date: Thu, 31 Jul 2008 16:44:35 +1200
On Wed, 2008-07-30 at 20:07 -0700, Guy Harris wrote:
On Jul 30, 2008, at 2:12 PM, Stephen Donnelly wrote:I recently came across some packets which tcpdump appears to display incorrectly. Is tcpdump incorrectly invoking some heuristic dissector, or is there another reason?I guess that's what I'd call it. tcpdump assumes that packets to or from certain ports might be KIP- encapsulated AppleTalk packets (KIP = "Kinetics IP"); see the tcpdump man page (look for "KIP AppleTalk (DDP in UDP)"), or RFC 1243: 4.7. The Kinetics Internet Protocol Group The Kinetics Internet Protocol (KIP) is a protocol for encapsulating and routing AppleTalk datagrams over an IP internet. This name is historical. The KIP group manages the KIP routing protocol as well as the routing tables generated by this protocol. It uses a heuristic to check, but the heuristic is really weak (it checks whether, if the payload were an AppleTalk LLAP packet, the type would be DDP, so it checks one count 'em one byte in the entire payload).
Okay, the explanation makes sense. We just had bad luck with our packets looking like candidates for KIP. Tcpdump doesn't have a way of configuring/disabling heuristic dissectors like this, without hacking the code? Stephen. -- ----------------------------------------------------------------------- Stephen Donnelly BCMS PhD email: sfd () endace com Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand cell: +64 21 1104378 ----------------------------------------------------------------------- - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump display/decode bug? Stephen Donnelly (Jul 30)
- Re: tcpdump display/decode bug? Guy Harris (Jul 30)
- Re: tcpdump display/decode bug? Stephen Donnelly (Jul 30)
- Re: tcpdump display/decode bug? Guy Harris (Jul 30)