Wireshark-users: Re: [Wireshark-users] A simple question about Wireshark: confusion about OICQ

From: Bill Meier <wmeier@xxxxxxxxxxx>
Date: Fri, 06 Mar 2009 10:23:37 -0500
Adele wrote:
Dear Olivier,

Thanks a lot for your help. But I am really confused here. If it is like what you said that as long as a
packet's UDP port is 8000, Wireshark will recognize it as a OICQ packet.
Then anyone can send UDP packets and assign 8000 as the port number. So all
these UDP packets will be recognized as OICQ packets? Is this a little bit
too easy for recognizing a packet, and also too easy for others to 'cheat'?

Also, if it is possible, may I ask where I can find the source code about
how to recognize protocols? Is this part open sourced?


1. The log of the revisions for the source code for the OICQ dissector can be found at:

http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-oicq.c

Click on 'view' for a particular revision to see the actual source code.

2. It appears that the current 'stable' release of Wireshark [1.0.6] has revision 21603 of the OICQ dissector. This version assumes all UDP packets on UDP port 8000 are OICQ.

There have been two later revisions to strengthen the identification of a packet as OICQ. This was done by checking (for UDP packets on port 8000) whether certain data bytes have values valid for the OICQ protocol.

Please See the source code for the details....

I think (but am not sure) that latest 'development' release (1.1.2) has revision 25317 which checks the data bytes but which has a bug in the check.

Revision 27617 fixes the bug and is the latest in the development branch for the OICQ dissector.