Ethereal-users: Re: [Ethereal-users] Yahoo Decoding

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 11 Apr 2002 13:49:47 -0700
On Thu, Apr 11, 2002 at 07:13:24PM +0100, bejay wrote:
> When I capture my own Yahoo Messenger packets, Ethereal does not recognise
> them but I see it is one of the disectors in the list.
> 
> However, when viewing the data how come I can force certain Decodes like DNS
> or RTP etc etc but cant select Yahoo for example.

The Yahoo dissector is a "heuristic" dissector; you can't force decodes
for heuristic dissectors.  Those dissectors are called for packets that
don't have port numbers that match any for "known" protocols; if they
think the packet is a packet for their protocol, they'll dissect it,
otherwise they'll refuse to dissect it and let the next heuristic
dissector in the list, if any, try it.

Forcing a heuristic dissector wouldn't help - it'd just say "no, this
isn't one of my packets, I can't dissect it" and continue to refuse to
dissect it.

If the Yahoo Messenger packets are dissected as packets for some other
protocol, then try disabling that other protocol from the "Protocols"
menu item under the "Edit" menu.  Keep doing that until they're not
dissected as packets for some other protocol.

If they're not dissected as packets for some other protocol, but aren't
dissected as packets for Yahoo Messenger either, then either

	1) they *aren't* Yahoo Messenger packets

or

	2) they're Yahoo Messenger packets, but they're for a version of
	   the protocol that Ethereal's Yahoo Messenger dissector
	   doesn't understand (Ethereal's dissector recognizes only
	   Yahoo Messenger packets that begin with "YPNS" or "YHOO")

or

	3) the packets don't start at the beginning of a TCP segment, in
	   which case Ethereal's Yahoo Messenger dissector can't
	   recognize them.

Problem 1) obviously isn't fixable.

Problem 2) would be fixable if somebody with the time to fix it (I'm not
such a person) had a specification for the new version of the protocol.

Problem 3) might be *partially* fixable if the problem is that some
Yahoo Messenger packets begin at the beginning of a TCP segment, but
they take more than one TCP segment, so that the *next* Yahoo Messenger
packet begins in the middle of a TCP packet; that would require making
the Yahoo Messenger dissector do TCP reassembly and handle multiple
packets per TCP segment.  If that's the problem, then some packets
*will* be recognized, but others won't.