On Fri, Aug 23, 2002 at 12:21:07PM -0400, Eric Bellotti wrote:
> I'm trying to figure out why TCP packets of type yhoo (port 5050) will
> not decode properly. Older messages in the dev list discussed issues of
> heuristic vs non heuristic decoders, another mentioned a bug in the
> "decode as" window. However, I still am having problems understanding
> the source of the inability of ethereal to decode yhoo type packets. Is
> the protocol 'supported' or not?
The current Yahoo Messenger dissector in Ethereal will dissect TCP
segments as containing a Yahoo Messenger packet if
1) they are either sent to or from port 5050;
and
2) they contain at least 105 bytes
and
3) the first 4 bytes of the packet are either "YPNS" or "YHOO".
If there are TCP segments that do *not* have all three characteristics,
the current Yahoo Messenger dissector will assume that they are not
Yahoo Messenger packets.
If you are seeing TCP segments that contain Yahoo Messenger traffic but
that are not dissected as such by Ethereal, which of the latter two
characteristics do they not have? (I presume 1) is true, given your
first sentence above, so either 2) or 3) or both are not true.)