Wireshark-dev: Re: [Wireshark-dev] How to avoid dissection based on port defined by a different
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 15 Dec 2010 16:45:34 -0800

On Dec 15, 2010, at 1:46 PM, Christopher Maynard wrote:

The problem I have with this is that 3503 is registered to MPLS Echo so that
dissector shouldn't have to be changed to essentially become a heuristic one to
accommodate this port-stealing protocol.

The protocol itself might not be stealing that port; I suspect that the "port A" in "I have a dissector plugin that is registered with port A." is not port 3503.

However, the OS on the other endpoint might have chosen port 3503 as the port number for its side of the conversation.  OSes *should* (and that might even be a SHOULD in some RFC - or even a MUST - but I don't know offhand what RFC that is) choose ports in the ephemeral range (49152 through 65535) if the application (or library) doesn't explicitly choose a port number, rather than ports in the well-known range (0 through 1023, often restricted to privileged users for silly "security" reasons) or the registered range (1024 through 49151).  However, that doesn't guarantee that they *do*.  When looking for a port match, we try the lowest port number first, as that's more likely to be a "real" port - but there isn't any test you can use on port numbers that's *guaranteed* never to get the wrong answer.