Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: RE: [Ethereal-users] Decode as a different protocol

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Nida, Bob" <BONida@xxxxxxxxxxxx>
Date: Tue, 12 Jul 2005 10:54:28 -0400
Ah....  OK, Ethereal's "MS Proxy" is what we have been advised by our
Proxy admin as "Winsock Proxy".  It does decode that on that port
mentioned below.  

OK, I've got it figured out now.  I simply had to "decode as" his custom
port selection as HTTP and now all is well.  I'm not a proxy admin or an
HTML developer, I forgot that proxy was a somewhat extension of HTTP.

Thanks for everyone's help.

Ethereal is a great product.

-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Tuesday, July 12, 2005 3:03 AM
To: Ethereal user support
Subject: Re: [Ethereal-users] Decode as a different protocol


Ulf Lamping wrote:

> So there seems to be a special "MS Proxy" protocol existing you're 
> talking about (I just don't know any protocol around ;-)

He *might* be referring to the Microsoft "Remote WinSock Protocol", 
which is what our "MS Proxy" dissector dissects.

I infer from some stuff I found on the Web:

	
http://www.isaserver.org/articles/Understanding_the_Firewall_Client_Cont
rol_Channel.html

that it runs on port 1745 for setup operations.  We dissect it only on 
UDP port 1745; that article says TCP port 1745 is also used.

After the setup is done, the client can then talk to the proxy/firewall;

in our dissector, "add_msproxy_conversation()" sets that up.  That's a 
different protocol - the packets don't have the RWSP control channel 
header, they just have a destination port and address.

I don't know whether the "proxy activity" that's on "a port different 
from 80 or 8080" is RWSP setup traffic or session traffic.

If it's setup traffic, the reason why we don't support it for "Decode 
As" is probably that we only decode RWSP setup traffic over UDP - if the

"proxy activity" is running over TCP, we'd have to add support for 
RWSP-over-TCP.

If it's session traffic, our dissector for that is currently only set up

as a result of RWSP setup traffic in the same session; we don't support 
explicitly setting traffic to be proxy session traffic.

> You may send a *small* capture file to the list, so the people with 
> more knowledge than me might get an idea what's the problem or there's

> a simple way to fix it.

We'd probably need a capture file like that to figure out what more we 
need to do.

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube