Robert Haynes said:
> Basically Ethereal is recognizing
> the data portion of these connections as different protocols instead of
> just basic TCP data.
Ethereal recognizes TCP data as particular protocols in one of several ways:
1) the traffic is sent to or from a port for which a dissector has
registered itself, because that's the standard port for that protocol;
2) the traffic is accepted by a "heuristic dissector" as being traffic
for that dissector's protocol;
3) some other dissector has specified that traffic between particular
endpoints will be traffic for a particular protocol (for example, the
RTSP dissector sets up certain endpoints as being for RTP or RTCP,
based on the RTSP messages).
These could cause traffic to be incorrectly identified as being for a
particular protocol, e.g. if traffic for some other protocol uses a port
for which Ethereal has a dissector.
Some of the dissectors for particular ports will check whether the packet
looks as if it's traffic for that protocol, and reject it if it's not
(that's similar to what heuristic dissectors do). Not all of them will do
so; it's not necessarily the case that a good check (one that accepts all
packets for that protocol, and doesn't accept too many packets *not* for
that protocol) can be implemented.
Ethereal lacks sufficient context to get the right answer all the time.
You can, as a last resort, disable dissectors for protocols you're not
using and that use ports that, at your site, are being used for some other
protocol; recent versions of Ethereal let you save the set of disabled
protocols so that it's used in all Ethereal sessions.