Marshal V Langlois wrote:
Ethereal appears to identify some of my lotus notes traffic as TDS... is
this correct? Or is it a bug of some sort?
Ultimately, it might be an inherent weakness of all network analyzers.
Many protocols have a field in them that specifies the protocol type of
the payload of the protocol - for example, Ethernet has a type/length
field, and if it's a length field, there's an 802.2 header with service
access points and, if both service access points are 0xAA, there's a
SNAP header with an OUI and a protocol ID.
TCP and UDP are *not* protocols that have a protocol type field. They
just have port numbers, but not all protocols have standard port
numbers, and even "well-known" and "registered" ports might be used for
protocols other than the one that "belongs" to them.
Therefore, there's no guarantee that a network analyzer will correctly
identify the protocol used by TCP or UDP traffic - it can't do so. It
can try to guess whether a packet is for a particular protocol, by
looking at it, and either
reject packets using the port for a given protocol if they don't look
like packets for that protocol
or
accept packets for a given protocol if they look like packets for that
protocol.
Ethereal's TDS dissector, in the current version of Ethereal (0.10.7 -
if you're using an earlier version, try updating) accepts as TDS packets
TCP packets to or from ports 1433 and 2433, without checking whether
they look like TDS packets, and also accepts as TDS packets any TCP
packets that weren't claimed by another protocol's dissector and that
look like TDS packets - or that are part of a connection in which one of
the latter type of packets was seen. "Look like" involves checking
whether it looks like a login packet; if it does, the entire TCP
connection is treated as TDS.
Is the Lotus Notes traffic you're seeing on ports 1433 or 2433?
