Hi all,
I understand that Wireshark uses 2 ways to determine what dissector to call next, in the event that there is no "Next Protocol" field or the equivalent - by looking at the port numbers of current layer, or at a list of heuristic dissectors.
What happens if there are no heuristic dissectors to look at and there are other traffic that also uses the port registered to a particular protocol? For example, say ProtoA is registered to UDP port 5000. If I have some non-ProtoA traffic that also uses UDP port 5000, would these traffic be wrongly dissected by ProtoA dissector?
Also, I noticed that traffic that uses TCP ports 2123 and 2152 are classified as GTP traffic (I'm using Wireshark 0.99.6). However, if I'm not wrong, the 3GPP specs state that GTP traffic only uses UDP ports 2123 and 2152, not TCP (well, GTP version 1 anyway, version 0
and GTP' can use both TCP/UDP port 3386).
Thank you.
|
