Wireshark · Ethereal-users: Re: [Ethereal-users] Unknown ICQ Messages

[Scott Fringer <fringsm@xxxxxxxxxxxxxxxxx>]

Guy,
  I took your advice and tried to find the offending packets, however,
using 'icq' as a display filter returns no frames.  Using 'udp.port ==
4000' does return a few packets.  Several are displayed as protocol ICQ,
they are actually DNS queries with a source port of 4000; so that makes
sense.  Thanks for the clarification. What's even more impressive(?) is
that the above udp filter also returned a few ICMP dest. unreachable
packets, since the payload had frames that were originally sourced from
port 4000.

Thanks.
Scott

Guy Harris wrote:
> 
> On Fri, Feb 22, 2002 at 11:20:09AM -0500, Scott Fringer wrote:
> >   Any ideas what these are informing me of (besides the obvious that
> > it's not sure of the version of some ICQ traffic).
> 
> It's informing you that the version number in a packet that it thought
> might be an ICQ packet, because it was sent to or from UDP port 4000,
> doesn't have a version number that it recognizes.
> 
> This could either mean
> 
>         1) somebody's using some new version of ICQ
> 
> or, more likely
> 
>         2) the traffic isn't actually ICQ traffic.
> 
> > How do I determine the offending frames?
> 
> Look for ICQ traffic by using a display filter of "icq", and then look
> for frames where the ICQ data isn't actually dissected.

-- 
Scott Fringer                              Shands Healthcare @ U.F.
Network Systems Analyst                        Gainesville, FL