Ethereal-users: Re: [Ethereal-users] libpcap file format and two more questions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 16 Jan 2003 15:42:41 -0800
On Thu, Jan 16, 2003 at 08:22:35PM +0300, Vladimir Lancov wrote:
> 1.If anybody knows, tell me please where can I find description of Ethereal's
> capture file format (libpcap file)?

	http://www.tcpdump.org/lists/workers/2002/04/msg00096.html

> 2. After sniffing RealPlayer, Ethereal produces console window with repeating
> messages: "Frame 226: rtsp: unknown transport".
> What does that mean?

It means that

	1) the network trace includes RTSP packets that specify a
	   transport that doesn't begin with "rtp/" (which means
	   Ethereal doesn't understand how to specify that subsequent
	   traffic on a connection set up with that RTSP packet should
	   be dissected as a particular type of traffic)

and

	2) the author of the RTSP dissector decided to have it print out
	   a warning to note that.

> What to do with it?

	1) remove the warning, and just have
	   "rtsp_create_conversation()" silently return;

	2) figure out how to handle that transport.

> 3. Why Ethereal's protocol dissector doesn't recognize Yahoo Messenger
> protocol (YMSG) packets, despite of its presence in protocol list?

Because those packets either

	1) aren't being sent to or from the port the dissector thinks is
	   the Yahoo port (port 5050)

and

	2) aren't at the beginning of TCP segments or don't begin with
	   "YPNS" or "YHOO"

or

	3) take more than one TCP segment, in which case the first TCP
	   segment will be recognized *IF* the packet starts at the
	   beginning of the segment (and begins with "YPNS" or "YHOO")
	   but subsequent segments won't be recognized).