Wireshark · Ethereal-users: [Ethereal-users] ? change in Gnutella dissector

Ethereal-users: [Ethereal-users] ? change in Gnutella dissector

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Matevž Pustišek <matevz.pustisek@xxxxxxxxxxxx>

Date: Thu, 27 Jan 2005 17:45:13 +0100

Hi!

I am filtering out some p2p traffic (including gnutella) from a larger
capture file. Recently I have upgraded from ethereal-0.10.9-SVN-13086 to
ethereal-0.10.9-SVN-13180 and noticed a major change in results of gnutella
filtering. The "continuation" packets are not present in
ethereal-0.10.9-SVN-13180 anymore. If I filter the same capture file with
the elder version, I get for example:

 56   0.292077 64.139.230.112 -> 153.5.132.59 Gnutella Unknown[Unreassembled
Packet]
 57   0.297324 64.139.230.112 -> 153.5.132.59 TCP [Continuation to #56]
gnutella-svc > 4401 [PSH, ACK] Seq=1460 Ack=0 Win=63438 Len=1025

In ethereal-0.10.9-SVN-13180 packet 57 is not present and neither are other
in countinuation to #56. It seems as if the dissector works differently now.
Due to this change, capinfos on the filtered files produces notably
different statistics (roughly 10% less packets and the average packet size
is much smaller in capture filtered by ethereal-0.10.9-SVN-13180).

Is this change made deliberately? I haven't noticed any discussion on
gnutella lately. What exactly does the "countinuation" refer to? A jumbo
frame?

Thanks, Matevz

Follow-Ups:
- Re: [Ethereal-users] ? change in Gnutella dissector
  - From: Guy Harris

References:
- AW: [Ethereal-users] Filter for hex string
  - From: Boenisch Joerg

Prev by Date: AW: [Ethereal-users] Filter for hex string
Next by Date: [Ethereal-users] RE: Capture Header Decoding for Netxray (NetAsyst)
Previous by thread: AW: [Ethereal-users] Filter for hex string
Next by thread: Re: [Ethereal-users] ? change in Gnutella dissector
Index(es):
- Date
- Thread