Ethereal-users: Re: [Ethereal-users] How does ethereal identify tftp transfer

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Mon, 6 Mar 2006 17:40:51 +0100 (CET)
Use the source, Luke.......

Reading the source of the TFTP dissector the author explains just how it
works:

        /*
         * The first TFTP packet goes to the TFTP port; the second one
         * comes from some *other* port, but goes back to the same
         * IP address and port as the ones from which the first packet
         * came; all subsequent packets go between those two IP addresses
         * and ports.
         *
         * If this packet went to the TFTP port, we check to see if
         * there's already a conversation with one address/port pair
         * matching the source IP address and port of this packet,
         * the other address matching the destination IP address of this
         * packet, and any destination port.
         *
         * If not, we create one, with its address 1/port 1 pair being
         * the source address/port of this packet, its address 2 being
         * the destination address of this packet, and its port 2 being
         * wildcarded, and give it the TFTP dissector as a dissector.
         */


Enjoy,
Jaap

On Mon, 6 Mar 2006, Nitin Shrivastav wrote:

> Hello,
>
> I am trying to understand how does ethereal identifies
> tftp data packets. I am running ethereal on the server
> machine. When i initiate the tftp transfer from
> clinet, my client uses a local udp port number 'x' and
> dest port is well defined tftp port 69.
>
> Now server responds back with a local udp source port
> 'y'destined to port 'x'. Subsequently, all the data
> transfer happens using these two ports. On capturing
> the packets in ethereal, it correctly identifies all
> the data packets as belonging to a tftp connection.
>
> The question is how does ethereal identifies this.
> Does it mark the original client port number 'x' in
> the first request packet to identify all the
> subsequent packets with source port 'x' as belonging
> to tftp..?
>
> Thanks for your help,
> Nitin
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>