Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Using port numbers to determine next dissector

From: "Anders Broman" <a.broman@xxxxxxxxx>
Date: Wed, 8 Apr 2009 06:45:53 +0200
>Since it's not correct for the GTP dissector to register for those ports,
>why register for them then? Is it in case GTPv1 does happen to run over TCP
>ports 2123 or 2152? But since that is not very likely to happen, would this
>result in non-GTP traffic running over TCP ports 2123 or 2152 to be wrongly
>dissected as GTP traffic?
Presumably the writer of that piece of code had a reason to add those ports
(or made a mistake), and yes that would interpret any traffic on those TCP
ports as GTP as will the UDP ports if non GTP traffic is sent on them.
Regards
Anders

-----Ursprungligt meddelande-----
Från: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] För Rayne
Skickat: den 8 april 2009 02:41
Till: Developer support list for Wireshark
Ämne: Re: [Wireshark-dev] Using port numbers to determine next dissector


--- On Tue, 4/7/09, Guy Harris <guy@xxxxxxxxxxxx> wrote:

> From: Guy Harris <guy@xxxxxxxxxxxx>
> Subject: Re: [Wireshark-dev] Using port numbers to determine next
dissector
> To: "Developer support list for Wireshark" <wireshark-dev@xxxxxxxxxxxxx>
> Date: Tuesday, April 7, 2009, 4:49 PM
> On Apr 7, 2009, at 1:52 AM, Rayne wrote:
> 
> >> Unless there's some flavor of GTP version 1
> documented elsewhere  
> >> that runs over TCP ports 2123 or 2152,  the GTP
> dissector shouldn't  
> >> register for those ports, just for UDP ports 2123
> and 2152.
> >
> > ** That's what I thought, but I saw packets
> classified as GTP with  
> > TCP port 2152 listed as their source or destination
> ports.
> 
> When I said "shouldn't", I meant it in a prescriptive sense, rather  
> than a descriptive sense - unless there's some way in which GTPv1 runs  
> over TCP ports 2123 or 2152, it's not correct for the GTP dissector to  
> register for those ports (that's the prescriptive sense of "shouldn't"), 
> but it *does* register for them ("shouldn't" in the  descriptive sense 
> would have meant "the dissector doesn't register for those ports, so 
> there's no way it could be handed those packets").

Since it's not correct for the GTP dissector to register for those ports,
why register for them then? Is it in case GTPv1 does happen to run over TCP
ports 2123 or 2152? But since that is not very likely to happen, would this
result in non-GTP traffic running over TCP ports 2123 or 2152 to be wrongly
dissected as GTP traffic?

And Guy, thank you very much for your detailed explanations.


      

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe