Wireshark-dev: Re: [Wireshark-dev] Modifying port number for TFTP
From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Tue, 2 Jun 2009 14:34:26 -0600
On Tue, Jun 02, 2009 at 09:28:09PM +0200, Heude Pascal wrote:

> I had the same request than Yvan, because I have a TFTP protocol based 
> on port 59 (for call) and 50450-50460 ports for the rest of protocol. 

What setup is TFTP going over port 59 in?  I see that the official IANA 
designation for port 59 is "any private file service."  Is it common in 
your experience to have TFTP on port 59 instead of its assigned port of 
69?

> I came to the conclusion that I have to rebuild wireshark with 
> changing the source packet-tftp.c (define UDP_PORT_TFTP from 69 to 
> 59). Then for the other ports, it seems that the dissector adapts 
> itself automatically, but I need to confirm it by testing because I am 
> not very familiar with wireshark API.

See this comment from the source code for the TFTP dissector to see how 
it finds TFTP traffic The "TFTP port" below is 69.  From 
epan/dissectors/packet-tftp.c:

/*
 * The first TFTP packet goes to the TFTP port; the second one
 * comes from some *other* port, but goes back to the same
 * IP address and port as the ones from which the first packet
 * came; all subsequent packets go between those two IP addresses
 * and ports.
 *
 * If this packet went to the TFTP port, we check to see if
 * there's already a conversation with one address/port pair
 * matching the source IP address and port of this packet,
 * the other address matching the destination IP address of this
 * packet, and any destination port.
 *
 * If not, we create one, with its address 1/port 1 pair being
 * the source address/port of this packet, its address 2 being
 * the destination address of this packet, and its port 2 being
 * wildcarded, and give it the TFTP dissector as a dissector.
 */


Steve