Guy,
I took your advice and tried to find the offending packets, however,
using 'icq' as a display filter returns no frames. Using 'udp.port ==
4000' does return a few packets. Several are displayed as protocol ICQ,
they are actually DNS queries with a source port of 4000; so that makes
sense. Thanks for the clarification. What's even more impressive(?) is
that the above udp filter also returned a few ICMP dest. unreachable
packets, since the payload had frames that were originally sourced from
port 4000.
Thanks.
Scott
Guy Harris wrote:
>
> On Fri, Feb 22, 2002 at 11:20:09AM -0500, Scott Fringer wrote:
> > Any ideas what these are informing me of (besides the obvious that
> > it's not sure of the version of some ICQ traffic).
>
> It's informing you that the version number in a packet that it thought
> might be an ICQ packet, because it was sent to or from UDP port 4000,
> doesn't have a version number that it recognizes.
>
> This could either mean
>
> 1) somebody's using some new version of ICQ
>
> or, more likely
>
> 2) the traffic isn't actually ICQ traffic.
>
> > How do I determine the offending frames?
>
> Look for ICQ traffic by using a display filter of "icq", and then look
> for frames where the ICQ data isn't actually dissected.
--
Scott Fringer Shands Healthcare @ U.F.
Network Systems Analyst Gainesville, FL