Wireshark-dev: Re: [Wireshark-dev] [Patch] update to packet-newmail.c

From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Date: Tue, 3 Oct 2006 11:29:36 -0700

On Wed, Oct 04, 2006 at 01:54:41AM +1000, ronnie sahlberg wrote:

> since this uses a ephemeral port number which changes between runs you 
> should not register the dissector to the port itself
> 
> much better is to once you have detected that port A on host B uses 
> that protocol you create a conversation for host B port A and register 
> the dissector for that particular protocol.
> 
> you can see examples of how this is done in (i think) the dissector 
> for portmapper

There are a couple reasons the dissector itself registers a port.  The 
first is that the decode as option doesn't appear to work until it has 
registered itself on a port (such as 0).  The second is that there is a 
preference setting to always dissect a certain port's traffic as newmail 
because you can modify the client's registry to always use the same port 
number.  This feature is often used in firewalled environments so all 
clients use the same port number every time.  This setting avoids the 
need to see the mapi register push notification packet if the port will 
always be the same.  I'm open to any ideas on a better way to accomplish 
this.


Thanks,
  Steve