Ethereal-dev: Re: [Ethereal-dev] How to identify tcp packets with no fixed port?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 19 Jan 2004 16:50:18 -0800

On Jan 19, 2004, at 4:32 PM, Jaime Fournier wrote:


I have a protocol that is TCP based, but the ports are
totally random. Looking through the dissectors I can
not find a good example of a protocol that identifies
itself to the lower level dissectors without a fixed
port.
Any references/pointers would be greatly appreciated.


ONC RPC, DCE RPC, FCIP, GIOP, iSCSI, TDS, etc..
Those work as heuristic dissectors; to work as a heuristic dissector, your dissector would have to be able to, by looking at part of the packet, guess, with a reasonable degree of certainty, whether the packet is for it or not. ("Reasonable degree of certainty" probably means that "the third word in the packet must be 1, 2, or 3" isn't going to be sufficient.)
Look for 'heur_dissector_add *("tcp"' in the top-level source directory to find dissectors that register themselves as heuristic dissectors atop TCP.