Wireshark · Wireshark-dev: Re: [Wireshark-dev] A simple question about wireshark: confusion about OICQ protocol analysis

[Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>]

Adele wrote:
> Actually I have talk to some guys who work in OICQ company and according 
> to them, Thunder and OICQ are competitors and there are not any 
> co-operations between them.  So I am really confused that how I can 
> capture OICQ packets from Thunder while the OICQ is not running.  
> Therefore, if it is possible, may I ask how  Wireshark works and decide 
> a packet is an OICQ packet? I mean, besides of the UDP port, are there 
> any other ways for Wireshark to categorise a packet to be an OICQ packet?

Wireshark, as a network analyzer, uses different methods to classify 
packets.  In the case of OICQ it appears that the OICQ dissector grabs 
packets on UDP port 8000, does some basic heuristics to check if the 
packet looks at least vaguely like OICQ, and then decodes the packet as 
OICQ.

Heuristics generally aren't perfect which means the dissector will 
likely make mistakes.  I'd guess in this case that Thunder's packets 
look enough like OICQ to fool the dissector.

If we had some OICQ sample captures (there aren't any on the 
SampleCaptures page on the Wiki) and some Thunder sample captures, we 
/might/ be able to strengthen the heuristics of OICQ to not recognize 
those Thunder packets are OICQ.

For the time being you could just disable the OICQ dissector to make 
these presumably false-positives go away.