Guy,
Thank you.
One other thing... (You might have known I'd ask).
Do you know if it is possible to simply tell Ethereal that a certain port
maps to a specific application (i.e. port 5900 is [most likely] VNC)?
I see that there is a "decode as" option, however, do not see any way to
change or develop custom protocols for "unknown ports". I would think there
might be an easy way for non-programmers to add custom ports.
Thank you again,
Tony
-----Original Message-----
From: Guy Harris
To: Tony Scarola
Cc: 'ethereal-users@xxxxxxxxxxxx'
Sent: 11/19/2003 3:47 PM
Subject: Re: [Ethereal-users] TCP "Data" ?
On Nov 19, 2003, at 12:14 PM, Tony Scarola wrote:
> I am attempting my first Ethereal 0.9.16 packet capture and
> analysis(660,865
> frames). Upon performing the protocol analysis, I have come across the
> protocol "Data" (Frame/Ethernet/Internet Protocol/Transmission Control
> Protocol/Data) as shown within "Protocol Hierarchy Statistics" screen,
> and
> cannot find any information as to its definition. I assume it refers
> to TCP
> data that does not match the "known" ports that Ethereal understands,
> but
> need to be sure.
It refers to anything that a given dissector, such as the TCP
dissector, doesn't find a dissector to handle, and dissects it as
"Data" instead. If it's under "Transmission Control Protocol", it
refers to TCP payload for traffic that isn't to or from a known port,
isn't matched by a heuristic dissector that runs atop TCP (ONC RPC, DCE
RPC, etc.), and isn't part of a conversation set up by another protocol
(e.g., something set up as RTP or RTCP by RTSP or SIP/SDP).
> Is there any way to build a filter to show only this TCP Data as
> described
> above?
"tcp && data" should work - although that'd also show packets if the
protocol running atop TCP *itself* had payload that it handed to a
subdissector, but couldn't find a subdissector and dissected it as
"Data".