Wireshark mailing list archives
Re: DCERPC over TCP
From: Andrej van der Zee <andrejvanderzee () gmail com>
Date: Tue, 27 Dec 2011 01:36:39 +0100
Hi,
Note that the TCP dissector has a preference to: "Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port",
I am looking at a Wireshark snapshot that contains traffic between various clients and one TCP server port 135 (DCERPC over TCP). For the client port 2152 (gtp-user) the detected protocol in Wireshark is GTP instead of DCERPC, showing "For future use" and "Unknown extension header" in its details. Though, removing the registered TCP port in the GTP protocol in Wireshark's preferences results in these packets to be (correctly) dissected as DCERPC. Shouldn't the heuristic sub-dissector for DCERPC be favored over the port-registered GTP dissector. Cheers, Andrej ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- DCERPC over TCP Andrej van der Zee (Dec 19)
- Re: DCERPC over TCP Guy Harris (Dec 19)
- Re: DCERPC over TCP Bill Meier (Dec 19)
- Re: DCERPC over TCP Andrej van der Zee (Dec 19)
- Re: DCERPC over TCP Andrej van der Zee (Dec 26)
- Re: DCERPC over TCP Chris Maynard (Dec 27)
- Re: DCERPC over TCP Guy Harris (Dec 27)
- Re: DCERPC over TCP Andrej van der Zee (Dec 27)