Guy, Thank you.
One other thing... (You might have known I'd ask). Do you know if it is possible to simply tell Ethereal that a certain port maps to a specific application (i.e. port 5900 is [most likely] VNC)? I see that there is a "decode as" option, however, do not see any way to change or develop custom protocols for "unknown ports". I would think there might be an easy way for non-programmers to add custom ports. Thank you again, Tony -----Original Message----- From: Guy Harris To: Tony Scarola Cc: '[EMAIL PROTECTED]' Sent: 11/19/2003 3:47 PM Subject: Re: [Ethereal-users] TCP "Data" ? On Nov 19, 2003, at 12:14 PM, Tony Scarola wrote: > I am attempting my first Ethereal 0.9.16 packet capture and > analysis(660,865 > frames). Upon performing the protocol analysis, I have come across the > protocol "Data" (Frame/Ethernet/Internet Protocol/Transmission Control > Protocol/Data) as shown within "Protocol Hierarchy Statistics" screen, > and > cannot find any information as to its definition. I assume it refers > to TCP > data that does not match the "known" ports that Ethereal understands, > but > need to be sure. It refers to anything that a given dissector, such as the TCP dissector, doesn't find a dissector to handle, and dissects it as "Data" instead. If it's under "Transmission Control Protocol", it refers to TCP payload for traffic that isn't to or from a known port, isn't matched by a heuristic dissector that runs atop TCP (ONC RPC, DCE RPC, etc.), and isn't part of a conversation set up by another protocol (e.g., something set up as RTP or RTCP by RTSP or SIP/SDP). > Is there any way to build a filter to show only this TCP Data as > described > above? "tcp && data" should work - although that'd also show packets if the protocol running atop TCP *itself* had payload that it handed to a subdissector, but couldn't find a subdissector and dissected it as "Data".
