Wireshark · Ethereal-dev: Re: [Ethereal-dev] Dissectors are matched according to their SOURCE port?!

Ethereal-dev: Re: [Ethereal-dev] Dissectors are matched according to their SOURCE port?!

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Wed, 9 Feb 2005 20:05:24 +0100

On Wed, 09 Feb 2005 20:47:35 +0200, Yaniv Kaul <ykaul@xxxxxxxxxxxx> wrote:
> I was always under the impression that the destination port matters, not
> the source.

As far as TCP sessions go you are right, but we have to deal with
single packets as we could get a capturewith just few packets and not
the whole session.

The problem is that we cannot know whether a packet whose src port is
1080 is not realy coming from a SOCKS server. Or reciprocally  that a
packet with dst prt 1080 is not actually going towards a SOCKS server.

That's why it is not a wrong thing to decode a packet one of whose
ports is 1080 as SOCKS, as it is very likely to be such.

> Any ideas how to cleanly prevent this?

As a workarround, in  your case, you could try to disable the SOCKS
dissector. Whether that's clean or not I cannot say.

Luis

References:
- [Ethereal-dev] Dissectors are matched according to their SOURCE port?!
  - From: Yaniv Kaul

Prev by Date: [Ethereal-dev] enable to compile ethereal 10.3.9 with mac os x
Next by Date: [Ethereal-dev] does ethereal team have plan to support decode more scsi commands?
Previous by thread: [Ethereal-dev] Dissectors are matched according to their SOURCE port?!
Next by thread: [Ethereal-dev] enable to compile ethereal 10.3.9 with mac os x
Index(es):
- Date
- Thread