Wireshark · Ethereal-users: [Ethereal-users] Problem with Ethereal.

[Richard Quadling <richard.quadling@xxxxxxxxxxxx>]

Title: Message

Hello.

 

This is a minor problem and I'm not expecting a fix immediately, but I thought you'd like to know about it.

 

I'm using Windows 2000 SP3, Outlook 2002 (XP) linked to Exchange Server.

 

I also have Outlook looking at my home POP3 accounts handled by an external ISP.

 

This is the followed TCP stream (with a small bit of editing to hide usernames/passwords/etc).

 

 

+OK QPOP (version ?) at www.hostdns.co.uk starting.  <0000.0000000000@xxxxxxxxxxxxxxxxx>
USER xx
+OK Password required for xx.
PASS xxxxxxxxxxx
+OK xx has 0 visible messages (0 hidden) in 0 octets.
STAT
+OK 0 0
UIDL
+OK UIDL command accepted.
.
QUIT
+OK Pop server at www.hostdns.co.uk signing off.

 

The problem is that the protocol that Ethereal is using is GTP-C (or so it thinks).

 

Using the first line as an example, the breakdown of the packet is ...

 

Frame 33 (144 bytes on wire, 144 bytes captures)

    Arrival Time: Oct 23, 2002 16:10:42.04099400

    Time delta from previous packet: 0.13446100 seconds

    Time relative to first packet: 15.99951200 seconds

    Frame Number: 33

    Packet Length: 144 bytes

    Capture Length : 144 bytes

Ethernet II, Src: xx:xx:xx:xx:xx:xx, Dst: xx:xx:x:xx:xx:xx

    Destination: xx:xx:xx:xx:xx:xx (Card type_xx:xx)

    Source: xx:xx:xx:xx:xx:xx (Card type_xx:xx:xx)

    Type: IP (0x0800)

Internet Protocol, Src Addr: 10.0.0.1 (10.0.0.1), Dst Addr: 10.0.0.24 (10.0.0.24)

    Version: 4

    Header Length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 130

    Identification: 0x166e

    Flags: 0x04

        .1.. = Don't fragment: Set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 128

    Protocol: TCP (0x06)

    Header checksum: 0xcfef (correct)

    Source: 10.0.0.1 (10.0.0.1)

    Destination: 10.0.0.24 (10.0.0.24)

Trasmission Control Protocol, Src Port: 2123 (2123), Dst Port: 2084 (2084), Seq: 1, Ack: 1, Len: 90

    Source port: 2123 (2123)

    Destination port: 2084 (2084)

    Sequene number: 1

    Next sequence number: 91

    Acknowledgement number: 1

    Header length: 20

    Flags: 0x0018 (PSH,ACK)

        ...

    Window size: 8760

    Checksum: 0x7247 (correct)

 

Everything so far makes sense.

 

GPRS Tunnelling Protocol v1

    Flags: 0x2b                                                            (2b = +)

        001. .... = Version: GTP release 99 version (1)

        ...0 .... = Protocol type: 0

        .... 1... = Spare bit: 1

        .... .0.. = Is Next Extension Header present?: no

        .... ..1. = Is Sequence Number present?: yes

        .... ...1 = Is N-PDU number present?: yes

    Message Type: Unknown (0x4f)                               (4f = O)

    Length: 19232                                                        (4b 20 = K(space) )

    TEID: 0x51504f50                                                   (51 50 4f 50 = QPOP)

    Sequence Number: 0x2028                                     (20 28 = (space ( )

    N-PDU Number:0x76                                              (76 = v)

    Next extension header type: 0x65                            (65 = e)

    [--- end of GTP v1 header, beginning of extension headers ---]

    Unknown extension header

 

I have put next to each part the values highlighted in the hex display.

 

So it seems that information coming in from a POP3 server looks, initially anyway, like GPRS Tunnelling Protocol information.

 

Which I don't think it is <grin>.

 

Just thought you'd like to know.

 

I am running v0.9.7 of Ethereal.

 

Regards,

 

Richard Quadling.