Wireshark-users: Re: [Wireshark-users] Protocol Forcing (Decode As)

From: "Ellington, Jerry" <Jerry.Ellington@xxxxxxxxx>
Date: Mon, 28 Aug 2006 07:30:10 -0500
Title: RE: Protocol Forcing (Decode As)

Would anyone be interested in modifying and building this for me?  I am not a developer.

Thanks, Jerry


Message: 1
Date: Tue, 22 Aug 2006 07:29:24 -0500
From: "Ellington, Jerry" <Jerry.Ellington@xxxxxxxxx>
Subject: [Wireshark-users] Protocol Forcing
To: guy@xxxxxxxxxxxx, wireshark-users@xxxxxxxxxxxxx
Content-Type: text/plain; charset="us-ascii"

Thanks Guy for the information about TPKT.  I never knew what those 4 bytes were.
Unfortunately I am not a developer so I won't be able to modify the source code.
Thank you for your response,

> I'm looking for a way to set up protocol forcing. Ie. :

> if TCP port 8473 then skip 4 bytes then ISO CLNP


> Anybody know how to do that?

No, because there is no way to do that.

Do you really mean

if TCP port 8473, then use TPKT encapsulation, but of CLNP rather

than COTP?

I.e. are those "4 bytes" not just "4 bytes", but a version byte, a

reserved byte, and a 2-byte field containing the length of the CLNP

PDU plus 4 for the TPKT header?

If so, then the way to do that would be to

1) change the packet-tpkt.c dissector to have a new dissector for

TPKT-encapsulated CLNP;

2) have that dissector register itself for TCP port 8473.