Re: How to avoid dissection based on port defined by a different dissector?

[Guy Harris <guy () alum mit edu>]

On Dec 15, 2010, at 1:46 PM, Christopher Maynard wrote:

> The problem I have with this is that 3503 is registered to MPLS Echo so that
> dissector shouldn't have to be changed to essentially become a heuristic one to
> accommodate this port-stealing protocol.

The protocol itself might not be stealing that port; I suspect that the "port A" in "I have a dissector plugin that is 
registered with port A." is not port 3503.

However, the OS on the other endpoint might have chosen port 3503 as the port number for its side of the conversation.  
OSes *should* (and that might even be a SHOULD in some RFC - or even a MUST - but I don't know offhand what RFC that 
is) choose ports in the ephemeral range (49152 through 65535) if the application (or library) doesn't explicitly choose 
a port number, rather than ports in the well-known range (0 through 1023, often restricted to privileged users for 
silly "security" reasons) or the registered range (1024 through 49151).  However, that doesn't guarantee that they 
*do*.  When looking for a port match, we try the lowest port number first, as that's more likely to be a "real" port - 
but there isn't any test you can use on port numbers that's *guaranteed* never to get the wrong answer.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe