Ethereal-users: Re: [Ethereal-users] Two Ethereal questions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Thu, 4 Nov 2004 08:21:24 +1100
On Wed, 3 Nov 2004 12:08:28 +0000, Julian Fielding  wrote:
> 
> 3. Packets with unusual ports. The enip dissector looks for 44818 (explicit)
> and 2222 (implicit). That usually works for explicit messages but not
> necessarily for implicit because any ports may be specified with the
> preceding (explicit) Forward_Open command and response. (Solution: identify
> such a packet and use Decode As enip. Enip appears twice in the Decode As
> list, as do several other protocols. Try both. One will be ignored, the
> other should work.) 

If these other ports are signalled inside previous enip packets, then
the best solution would be to teach the enip dissector that when it
sees that a new port is being signalled for enip,  then it will create
a new conversation for that protocol and specify it being enip.
So that ethereal will automagically detect these pacekts as enip as well.

There are some examples on how this is done in the packet-h2x5.c
dissectors as well as the dissector for portmapper protocol.

grep for conversation in those files...