Wireshark mailing list archives

Re: DCERPC over TCP

From: Andrej van der Zee <andrejvanderzee () gmail com>
Date: Tue, 27 Dec 2011 01:36:39 +0100

Hi,

Note that the TCP dissector has a preference to:

       "Try to decode a packet using an heuristic sub-dissector before using
a sub-dissector registered to a specific port",


I am looking at a Wireshark snapshot that contains traffic between
various clients and one TCP server port 135 (DCERPC over TCP). For the
client port 2152 (gtp-user) the detected protocol in Wireshark is GTP
instead of DCERPC, showing "For future use" and "Unknown extension
header" in its details. Though, removing the registered TCP port in
the GTP protocol in Wireshark's preferences results in these packets
to be (correctly) dissected as DCERPC.

Shouldn't the heuristic sub-dissector for DCERPC be favored over the
port-registered GTP dissector.

Cheers,
Andrej
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

DCERPC over TCP Andrej van der Zee (Dec 19)
- Re: DCERPC over TCP Guy Harris (Dec 19)
- Re: DCERPC over TCP Bill Meier (Dec 19)
  - Re: DCERPC over TCP Andrej van der Zee (Dec 19)
  - Re: DCERPC over TCP Andrej van der Zee (Dec 26)
    - Re: DCERPC over TCP Chris Maynard (Dec 27)
    - Re: DCERPC over TCP Guy Harris (Dec 27)
    - Re: DCERPC over TCP Andrej van der Zee (Dec 27)