Ethereal-users: [Ethereal-users] Trouble with "Follow TCP Stream" ??

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: J.B. <jbg@xxxxxxxxxxxxx>
Date: Wed, 10 Apr 2002 19:05:51 +0000
Hi all,  

I just figured out a problem (bug?) with the "Follow TCP Stream" feature that's been bugging me for a week (no pun intended).  It appears that if your TCP stream contains bytes that can be misconstrued as a signature for a sub-protocol of TCP (like SMPP), and the decoder for that protocol is enabled, the "follow TCP stream" skips the packet then ends the stream prematurely because the packets are no longer in sequence.

In my case, there was a TCP packet in my stream that was decoded as a SMPP packet (it just happened to have the right bytes in it).  Although the stream was far from ended, "follow tcp stream" said the stream was done as soon as it hit the packet that it determined was an SMPP packet.

Of course, my work-around was to turn off SMPP decoding.

It would be very nice however if "follow TCP stream" was smart enough to notice that this packet was still a TCP packet between the correct ports and include it in the stream.  It would have saved me a lot of head-scratching time too! Interestingly enough, the filter generated by "follow tcp stream" didn't filter out the alleged SMPP packet, so at least that part was working fine.

As I was searching the archives of this list, I noticed other people have reported similar problems, but never really figured it out.  This is likely the same problem.
- J.B.