On Wed, Oct 23, 2002 at 04:41:59PM +0100, Richard Quadling wrote:
> So it seems that information coming in from a POP3 server looks, initially
> anyway, like GPRS Tunnelling Protocol information.
No, it seems that Ethereal treats traffic to or from port 2123 as GTP
version 1 control PDUs, regardless of whether it really is GTPv1 control
traffic or not, and you happened to be unlucky enough to have your POP
session use port 2123 on one side of the connection.
It does so because that's apparently the default port number for GTP
version 1 control PDUs.
This is a very broad problem, not at all specific to GTP and/or POP,,
and there is no general solution that will make Ethereal *never*
misidentify packets.
In this particular case, you can disable GTP v1 control plane dissection
entirely by setting the "GTPv1 control plane (GTP-C) port" preference to
0 - select "Preferences" from the "Edit" menu, open up the list of
protocols by clicking on the "[+]" box labelled "Protocols" on the left
pane of the dialog box that pops up, select "GTP" from that list,
replace "2123" with "0" in the "GTPv1 control plane (GTP-C) port"
preference", click "Save" to save the preferences, and click "OK".
It might also be possible to have the GTP dissector reject packets it
thinks are sufficiently malformed, e.g. with a bogus message type,
although that runs the risk of causing problems if new message types are
added to GTP and you look at traffic with those new message types with a
version of Ethereal not modified to know about them - instead of getting
what dissection would be possible of that new message, you'd get
nothing.
