Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to avoid dissection based on port defined by a different dissector?

From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Wed, 15 Dec 2010 17:51:18 -0500
Christopher Maynard wrote:

Stephen Fisher <steve@...> writes:


In addition to Christopher Maynard's suggestions, the surest way to 
fix it is to make both dissectors "new-style" so that they verify that 
the traffic on the port they're registered on (3503) is the right 
traffic they're expecting and kick it back to Wireshark so that 
another dissector can be tried....

I forgot to write:

... if it isn't the right protocol for that dissector


The problem I have with this is that 3503 is registered to MPLS Echo so that
dissector shouldn't have to be changed to essentially become a heuristic one to
accommodate this port-stealing protocol.  It's essentially the same situation as
for bug 1946.  (See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1946) 
We ought to be able to rely on registered ports being reserved for data
applicable to the protocols intended to run atop those ports.  Granted 3503 is
not a so-called "well-known" port, so it differs a little bit from the DNS
situation, but it's basically the same thing.  If we accept this situation, then
potentially we have a lot of dissectors to convert to new-style, and that might
be a lot of work, depending on how extensive the heuristics get.  And then you
can always run into the case when the heuristics fail anyway.  (I say
potentially because I haven't tried to count how many dissectors would be
affected.  I suspect a lot though.)


Well, I agree that protocols "shouldn't" steal ports.  But they do. 
It's Not Right, but should Wireshark be limited to what is Right or what 
is Reality?  (In other words, should the goal be for it to "just work?")

For example, even when protocols don't steal ports, administrators 
steal/reuse ports: how often do you see web servers on something other 
than port 80?  Okay, maybe not that often on the Internet, but I can 
probably find dozens of examples at work.

My opinion has been: if Wireshark can figure it out (e.g., 
heuristically), let's try to do it.  I don't think we'll ever be done, 
but we can keep improving.  (Well, except when we can't because we can't 
come up with good enough heuristics, but that's another story...)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: