On Oct 30, 2008, at 1:59 AM, robertp wrote:
There's no information in the header itself that identifies it as a
TPKT
header. However, Wireshark correctly identifies this header, even when
captured (as in this case) on a different port from the standard 102
for
TPKT traffic.
TPKT is both a protocol with a standard port number and an
encapsulation used by that protocol and some other protocols.
One of those is Q.931-over-TCP, and...
Does anyone know how Wireshark does this ? In terms of packet
structure / bytes.
...the Q.931 dissector module includes a "heuristic" dissector for Q.
931-over-TCP, which:
first calls the TPKT dissector's general heuristic routine, which
checks whether the first octet is 3 and the second octet is 0 and, if
both are the case, where the putative packet length is big enough for
a minimum-length packet, where the minimum length is supplied by the
caller (so, in this case, it checks for a minimum-length Q.931 packet);
then, if either
1) the current TCP segment is exactly 4 bytes long (so it's only the
TPKT header)
or
2) the segment also includes the first 3 bytes of a Q.931 message,
and the putative protocol discriminator field has the NLPID of Q.931 (8)
it's treated as the beginning of a Q.931 packet.