> Presumably, in that case, frames 3, 4, 6, and 7 would all probably be
> HTTP, so you might want to flag the entire connection between machine A
> port 1010 and machine B port 2020 as HTTP - preferably in one operation,
> not 4 (or more).
But not necesarrily http! I might know that when I receive a certain message a certain time later there might be unrecognized
(because it's not a known port) messages exchanged...
Suppose a protocol uses messagetype A to control a connection and messagetype B to exchange data.
Sender 1 Sender 2
1 A:connection_req
2 A:req_ack
3 A:set_connection
4 A:set_ack
5 A:set_ports
6 A:portset_ack
7 B:data
8 B:data
9 B:data
10 A:connection_end
11 A:end_ack
In the current situation messages 7,8,9 are not recognized, but from the information in messages 5
and 6 _I_ know that the messages 7,8,9 are a known format, it's just that ethereal has no way of
knowing that.
In ethereal (in version 1.1.1.1.1) I would just (multi) select the messages and right-click on them,
select Set type and select Protocol B.
--
Andreas Sikkema
andreas.sikkema@xxxxxxxxxxx