Wireshark · Ethereal-users: Re: [Ethereal-users] Possible Protocol Mismatch

Ethereal-users: Re: [Ethereal-users] Possible Protocol Mismatch

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Martin Regner" <martin.regner@xxxxxxxxx>

Date: Tue, 3 Jun 2003 07:13:07 +0100

Joris Lambrecht wrote:
>There is a reccuring Zebra Protocol Capture wich is not supposed to occure,
>as far as i know there might be a Zebra-Router on the network but the
>src.dest.adresses involved do not return anything close to the routers i
>know wich are in the network. I even checked the workstation involved with
>reply-ing "Zebra Response",  there is no such software running on that
>workstation. 
>
>I figured out most of the traffic on this network/subnet but cannot pinpoint
>the validity of the Zebra Protocol. Did anyone ever encounter a similar
>situation in wich packets could have been mistaken for a known protocol ?

It's quite normal that Ethereal misinterprets some packets as another protocol than it really is since it's often not possible to determine exactly what protocol it is based on heuristics, but often you will notice that the decoding will fail for a part of the packet in those cases (indicated as "[Malformed packet]" or similar) or that part of the message will look like garbage.

I have had to disable some protocols due to this sometimes, remove some plugins (e.g. the PCLI plugin that registers UDP port 9000) and change the protcol preferences for some protcols (e.g. iSCSI and Diameter that registers certain TCP port numbers that are often used by the client side of TCP connections) in order to avoid that some protocols are misinterpreted by Ethereal.  

Ethereal normally dissects tcp packets to or from port number 2600 with the Zebra dissector and of course tcp port number 2600 could be used for a lot of different purposes (both as server side port number and as client side port number).

When the TCP connection is set up is it established towards port number 2600 (i.e. server side has port 2600), or
is it established towards another port number (i.e. client side has port 2600)?

It could be good to check if the other port number is registered by IANA, or if it's listed in any of the other port number
lists available on internet (a search with "port 4711" or similar in Google may give some interesting hits).

Also it could be interesting to see what happens with the TCP connection. Is it established (SYN, SYN-ACK, ACK) and
then some data is sent in one or both directions and then closed or is there a further exchange of data before the
connection is closed, and how often is the TCP connection re-established.

You can maybe also have a look on if there are other ip messages sent between these two ip-addresses (other protcols
or port numbers).

It would be good if you could send some more details and maybe a short sample capture if possible.

Actually port number 2600 is registered by IANA as the port number for some HP specific protocols it seems.

http://www.iana.org/assignments/port-numbers
hpstgmgr 2600/tcp   HPSTGMGR
hpstgmgr 2600/udp   HPSTGMGR
#      Kevin Collins <kevinc@xxxxxxxxxxx>

I couldn't find any details about HPSTGMGR so I don't know what it is used for.

But tcp port number 2600 is also the normal port for Zebra protocol. Port number 2600 is also used by a trojan program ("Digital RootBeer") and also used in a lot of configuration examples, by some other software and so on.

http://www.seifried.org/security/ports/2000/2600.html
http://home.t-online.de/home/TschiTschi/well_known_trojaner_ports.htm
http://www.bekkoame.ne.jp/~s_ita/port/port2600-2699.html
http://www.geocities.com/nidhi_jain24/DefList.html
http://ethereal.archive.sunet.se/lists/ethereal-dev/200208/msg00100.html
http://www.usm.maine.edu/~houser/cos460/project.html
http://www.megasecurity.org/trojans/m/minicom/Minicom3.5.html
http://mail.nl.linux.org/xchat-discuss/2002-02/msg00163.html

You can try to disable "Zebra protocol" and see if the packets just looks as TCP packets
or if they are dissected by a heursitic dissector or based on the other port number. 

However my guess is that they will look as TCP packets, since it may be a protocol
that isn't implemented in Ethereal or will not be automatically dissected based on heursitics.

You probably have to look into if the packet hex data could give any more clues of what protcol it is
(maybe you can see some text in the packet) an maybe also check what programs are running on the 
workstation and if they are configured or hardcoded to use port number 2600.
You can maybe stop different programs one at a time and check with netstat printout to determine what lsitening ports
are used by different programs.

Prev by Date: [Ethereal-users] Ntwk Adapters empty in WinXP Capture/Interface window
Next by Date: [Ethereal-users] Help !!!
Previous by thread: RE: [Ethereal-users] Possible Protocol Mismatch
Next by thread: RE: [Ethereal-users] Possible Protocol Mismatch
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$