Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Using port numbers to determine next dissector

From: Rayne <hjazz6@xxxxxxxxx>
Date: Tue, 7 Apr 2009 17:41:20 -0700 (PDT)
--- On Tue, 4/7/09, Guy Harris <guy@xxxxxxxxxxxx> wrote:

> From: Guy Harris <guy@xxxxxxxxxxxx>
> Subject: Re: [Wireshark-dev] Using port numbers to determine next dissector
> To: "Developer support list for Wireshark" <wireshark-dev@xxxxxxxxxxxxx>
> Date: Tuesday, April 7, 2009, 4:49 PM
> On Apr 7, 2009, at 1:52 AM, Rayne wrote:
> 
> >> Unless there's some flavor of GTP version 1
> documented elsewhere  
> >> that runs over TCP ports 2123 or 2152,  the GTP
> dissector shouldn't  
> >> register for those ports, just for UDP ports 2123
> and 2152.
> >
> > ** That's what I thought, but I saw packets
> classified as GTP with  
> > TCP port 2152 listed as their source or destination
> ports.
> 
> When I said "shouldn't", I meant it in a prescriptive sense, rather  
> than a descriptive sense - unless there's some way in which GTPv1 runs  
> over TCP ports 2123 or 2152, it's not correct for the GTP dissector to  
> register for those ports (that's the prescriptive sense of "shouldn't"), 
> but it *does* register for them ("shouldn't" in the  descriptive sense 
> would have meant "the dissector doesn't register for those ports, so 
> there's no way it could be handed those packets").

Since it's not correct for the GTP dissector to register for those ports, why register for them then? Is it in case GTPv1 does happen to run over TCP ports 2123 or 2152? But since that is not very likely to happen, would this result in non-GTP traffic running over TCP ports 2123 or 2152 to be wrongly dissected as GTP traffic?

And Guy, thank you very much for your detailed explanations.