Re: tcpdump display/decode bug?

[Stephen Donnelly <stephen () endace com>]

On Wed, 2008-07-30 at 20:07 -0700, Guy Harris wrote:
> On Jul 30, 2008, at 2:12 PM, Stephen Donnelly wrote:
>
> > I recently came across some packets which tcpdump appears to display
> > incorrectly.
> >
> > Is tcpdump incorrectly invoking some heuristic dissector, or is there
> > another reason?
>
> I guess that's what I'd call it.
>
> tcpdump assumes that packets to or from certain ports might be KIP- 
> encapsulated AppleTalk packets (KIP = "Kinetics IP"); see the tcpdump  
> man page (look for "KIP AppleTalk (DDP in UDP)"), or RFC 1243:
>
>       4.7.  The Kinetics Internet Protocol Group
>
>          The Kinetics Internet Protocol (KIP) is a protocol for encapsulating
>          and routing AppleTalk datagrams over an IP internet.  This name is
>          historical.  The KIP group manages the KIP routing protocol as well
>          as the routing tables generated by this protocol.
>
> It uses a heuristic to check, but the heuristic is really weak (it  
> checks whether, if the payload were an AppleTalk LLAP packet, the type  
> would be DDP, so it checks one count 'em one byte in the entire  
> payload).

Okay, the explanation makes sense. We just had bad luck with our
packets looking like candidates for KIP.

Tcpdump doesn't have a way of configuring/disabling heuristic dissectors
like this, without hacking the code?

Stephen.
-- 
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd () endace com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.