Wireshark-users: Re: [Wireshark-users] [Ethereal-users] Protocol Forcing on ethereal

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 21 Aug 2006 15:20:28 -0700

On Aug 21, 2006, at 3:43 AM, Ellington, Jerry wrote:

-------------------
The Ethereal project is being continued at a new site.  Please go to
http://www.wireshark.org and subscribe to wireshark-users@xxxxxxxxxxxxx .
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------


I just joined the group,
Unfortunately, you joined the wrong group; as the above note suggests, the *correct* group is wireshark-users:

	http://www.wireshark.org/lists/

because Ethereal isn't currently being developed - all development has moved to Wireshark.
so if I'm not doing this properly please let me know.

I'm looking for a way to set up protocol forcing.  Ie. :
        if TCP port 8473 then skip 4 bytes then ISO CLNP

Anybody know how to do that?
No, because there is no way to do that.

Do you really mean

if TCP port 8473, then use TPKT encapsulation, but of CLNP rather than COTP?

I.e. are those "4 bytes" not just "4 bytes", but a version byte, a reserved byte, and a 2-byte field containing the length of the CLNP PDU plus 4 for the TPKT header?

If so, then the way to do that would be to

1) change the packet-tpkt.c dissector to have a new dissector for TPKT-encapsulated CLNP;

	2) have that dissector register itself for TCP port 8473.