Wireshark-dev: Re: [Wireshark-dev] A simple question about wireshark: confusion about OICQ prot
Adele wrote:
Actually I have talk to some guys who work in OICQ company and according
to them, Thunder and OICQ are competitors and there are not any
co-operations between them. So I am really confused that how I can
capture OICQ packets from Thunder while the OICQ is not running.
Therefore, if it is possible, may I ask how Wireshark works and decide
a packet is an OICQ packet? I mean, besides of the UDP port, are there
any other ways for Wireshark to categorise a packet to be an OICQ packet?
Wireshark, as a network analyzer, uses different methods to classify
packets. In the case of OICQ it appears that the OICQ dissector grabs
packets on UDP port 8000, does some basic heuristics to check if the
packet looks at least vaguely like OICQ, and then decodes the packet as
OICQ.
Heuristics generally aren't perfect which means the dissector will
likely make mistakes. I'd guess in this case that Thunder's packets
look enough like OICQ to fool the dissector.
If we had some OICQ sample captures (there aren't any on the
SampleCaptures page on the Wiki) and some Thunder sample captures, we
/might/ be able to strengthen the heuristics of OICQ to not recognize
those Thunder packets are OICQ.
For the time being you could just disable the OICQ dissector to make
these presumably false-positives go away.
