Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: Re: [Ethereal-users] TDS + Lotus

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Marshal V Langlois <mvl01@xxxxxxxxxxxxxxxxxx>
Date: Thu, 9 Dec 2004 15:45:17 -0500

It's actually on port 1352.  In fact... SOME of the traffic in the capture is represented simply as tcp without any specification as to what it thinks it is.




Guy Harris <gharris@xxxxxxxxx>
Sent by: ethereal-users-bounces@xxxxxxxxxxxx

12/09/2004 03:40 PM
Please respond to Ethereal user support

       
        To:        Ethereal user support <ethereal-users@xxxxxxxxxxxx>
        cc:        
        Subject:        Re: [Ethereal-users] TDS + Lotus



Marshal V Langlois wrote:

> Ethereal appears to identify some of my lotus notes traffic as TDS... is
> this correct?  Or is it a bug of some sort?

Ultimately, it might be an inherent weakness of all network analyzers.
Many protocols have a field in them that specifies the protocol type of
the payload of the protocol - for example, Ethernet has a type/length
field, and if it's a length field, there's an 802.2 header with service
access points and, if both service access points are 0xAA, there's a
SNAP header with an OUI and a protocol ID.

TCP and UDP are *not* protocols that have a protocol type field.  They
just have port numbers, but not all protocols have standard port
numbers, and even "well-known" and "registered" ports might be used for
protocols other than the one that "belongs" to them.

Therefore, there's no guarantee that a network analyzer will correctly
identify the protocol used by TCP or UDP traffic - it can't do so.  It
can try to guess whether a packet is for a particular protocol, by
looking at it, and either

                reject packets using the port for a given protocol if they don't look
like packets for that protocol

or

                accept packets for a given protocol if they look like packets for that
protocol.

Ethereal's TDS dissector, in the current version of Ethereal (0.10.7 -
if you're using an earlier version, try updating) accepts as TDS packets
TCP packets to or from ports 1433 and 2433, without checking whether
they look like TDS packets, and also accepts as TDS packets any TCP
packets that weren't claimed by another protocol's dissector and that
look like TDS packets - or that are part of a connection in which one of
the latter type of packets was seen.  "Look like" involves checking
whether it looks like a login packet; if it does, the entire TCP
connection is treated as TDS.

Is the Lotus Notes traffic you're seeing on ports 1433 or 2433?

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube