Pedro Gon�alves wrote:
> Hi
>
> I'm having some trouble while decoding STUN Binding Request and Responses.
> Sometimes they get decoded the right way, sometimes STUN packets are
> decoded as DNP 3.0, RTP or RTCP (?!).
>
> I'm sending two captures I made so you can check for yourself:
> for example, in problems_wireshark_1.pcap, odd packets are STUN Binding
> Request and even packets are STUN Binding Responses.
>
> Why are the first two packets decoded as DNP 3.0 and the rest of them
> are decoded ok?
>
Which version of Wireshark?
The DNP decoding occurs because the messages are using port 20000 which
is the port DNP 3.0 uses. I have strengthened the DNP heuristics
recently, including an error where UDP packets were treated as tcp
fragments. This was committed as r20651 & r20683 around the beginning
of Feb 2007. I don't think these were in 0.99.5.
My current version handles the file correctly.
As a workaround, disable DNP 3.0 from Analyze | Enabled Protocols ...,
or try a buildbot build.
--
Regards,
Graham Bloice