Wireshark-users: [Wireshark-users] Protocol Forcing

From: "Ellington, Jerry" <Jerry.Ellington@xxxxxxxxx>
Date: Tue, 22 Aug 2006 07:29:24 -0500
Thanks Guy for the information about TPKT.  I never knew what those 4 bytes were.
Unfortunately I am not a developer so I won't be able to modify the source code.
Thank you for your response,


> I just joined the group,

Unfortunately, you joined the wrong group; as the above note suggests, the *correct* group is wireshark-users:


because Ethereal isn't currently being developed - all development has moved to Wireshark.

> so if I'm not doing this properly please let me know.


> I'm looking for a way to set up protocol forcing. Ie. :

> if TCP port 8473 then skip 4 bytes then ISO CLNP


> Anybody know how to do that?

No, because there is no way to do that.

Do you really mean

if TCP port 8473, then use TPKT encapsulation, but of CLNP rather

than COTP?

I.e. are those "4 bytes" not just "4 bytes", but a version byte, a

reserved byte, and a 2-byte field containing the length of the CLNP

PDU plus 4 for the TPKT header?

If so, then the way to do that would be to

1) change the packet-tpkt.c dissector to have a new dissector for

TPKT-encapsulated CLNP;

2) have that dissector register itself for TCP port 8473.