I have found that the tcp.port filter doesn't work for a proxied
tcp connection. For example, create a ftp connection via a SOCKS
proxy and examine the data stream. It will show that we are doing
FTP and will allow filtering on the 'ftp' protocol. However, when
I tried the filter 'tcp.port == 21' I didn't get any data. I realized
that while both the proxy protocols, SOCKS and MSProxy, use the tcp
dissector lookup routines, they don't actually do the tcp header
decode (because there isn't any). This means that no hidden value
tcp.port is create for the proxied connection.
I think that we should allow filtering on these proxied port to be
consistent. The question is - how to add the tcp.port item to the
protocol tree for the proxied ports. Because the hf_* values are
static we must do it in the packet-tcp.c file. I am suggesting that
we add and export a routine set_tcp_hidden_port in the packet-tcp.c
file. Then the proxy protocols can call this routine to create the
hidden protocol tree for tcp.port.
As I think about this more, this argument can be extended to the
tcp.srcport, tcp.dstport, ip.addr, ip.srcaddr, and ip.dstaddr.
Lookout, the can is open, the worms are loose!!
Comment/questions.
Jeff Foster