Ethereal-users: Re: [Ethereal-users] Misinterpretation of FTP packets as MGCP packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 17 Apr 2002 13:23:38 -0700
On Wed, Apr 17, 2002 at 05:10:51PM +0100, Simon Neild wrote:
> I have hit one small problem: Using version 0.92 under Windows/98 / Windows
> 2000, a simple FTP packet capture has some FTP frames mis-represented as
> MGCP frames. If I turn off MGCP protocol analysis, this problem goes away,
> but for some remote students, I am reluctant to add a further level of
> complication to their studying of TCP/IP.
> 
> Do you know what the cause of this might be?

The use of ports 2427 or 2727 by one or the other of the conversations
in the FTP traffic.

The MGCP dissector registers those as ports used for MGCP traffic, so
the TCP and UDP dissectors might supply some packets to or from those
ports to the MGCP dissector.

> Is there a fix now/anticipated.

There is no "fix", in the sense of something to prevent it from *ever*
happening, possible.

There might, at some point, be changes to make it less likely to happen,
but they probably won't happen any time soon.  (They're not trivial
changes.  It's not as if this is a simple "bug"; in some cases, it's
entirely *correct* to treat port 2427 or 2727 traffic as MGCP traffic,
the problem is dealing with traffic where *both* of the port numbers are
"known" port numbers, but they're for different protocols.)

I would suggest that you either

	1) remove the "mgcp.dll" file from the "plugins\{version number}"
	   directory in which Ethereal is installed ("{version number}"
	   would be the version number of Ethereal that you've
	   installed), to completely remove the MGCP dissection code
	   from Ethereal

or

	2) put into the directory in which Ethereal is installed (e.g.,
	   "C:\Program Files\Ethereal" a text file containing

		mgcp.tcp.gateway_port: 0
		mgcp.udp.gateway_port: 0
		mgcp.tcp.callagent_port: 0
		mgcp.udp.callagent_port: 0

	   to cause Ethereal, by default, to choose port 0 (a port
	   number that's unlikely to ever be used in packets) as the
	   port number for MGCP, so that it won't dissect port 2427 or
	   2727 traffic as MGCP.

I would recommend the latter, as the former is a bit of a hack,
permanently disables a capability (unless you put the dll back), and
will also have to be done every time you re-install Ethereal.

Unfortunately, if by "remote students" you mean "students with their own
computer on which they've installed Ethereal", this won't help - you
will *have* to add a further level of complication.  However, they can
do something similar to step 2, within the Ethereal GUI - start
Ethereal, select "Preferences" from the "Edit" menu, open up the list
under "Protocols" in the left-hand pane of the "Preferences" dialog that
pops up, select "MGCP" from that list, put in 0 for all four port
numbers, click "Save", and click "OK".  That'll save 0 as the port
number in their personal preferences.