Wireshark-dev: Re: [Wireshark-dev] A simple question about wireshark: confusion about OICQ prot
From: Jeff Morriss <[email protected]>
Date: Thu, 05 Mar 2009 11:02:40 -0500

Adele wrote:
Actually I have talk to some guys who work in OICQ company and according to them, Thunder and OICQ are competitors and there are not any co-operations between them. So I am really confused that how I can capture OICQ packets from Thunder while the OICQ is not running. Therefore, if it is possible, may I ask how Wireshark works and decide a packet is an OICQ packet? I mean, besides of the UDP port, are there any other ways for Wireshark to categorise a packet to be an OICQ packet?
Wireshark, as a network analyzer, uses different methods to classify 
packets.  In the case of OICQ it appears that the OICQ dissector grabs 
packets on UDP port 8000, does some basic heuristics to check if the 
packet looks at least vaguely like OICQ, and then decodes the packet as 
OICQ.
Heuristics generally aren't perfect which means the dissector will 
likely make mistakes.  I'd guess in this case that Thunder's packets 
look enough like OICQ to fool the dissector.
If we had some OICQ sample captures (there aren't any on the 
SampleCaptures page on the Wiki) and some Thunder sample captures, we 
/might/ be able to strengthen the heuristics of OICQ to not recognize 
those Thunder packets are OICQ.
For the time being you could just disable the OICQ dissector to make 
these presumably false-positives go away.