Ethereal-users: Re: [Ethereal-users] Is it possible to supress ICQ: Unknownversionmessage?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Martin Regner" <martin.regner@xxxxxxxxx>
Date: Wed, 9 Nov 2005 19:48:06 +0100
Title: Is it possible to supress ICQ: Unknown version message?
One way could be to disable ICQ protocol if you are not interested in ICQ-protocol at all and/or if you think that those packets are not ICQ-packets.
 
In Ethereal you can do this from memu item  Analyze/Enabled Protocols ...
The protocol will be disabled permanently until you enable it again (even in Tethereal) if you do Save after you have unchecked ICQ in the list of enabled protocols.
 
Another alternative is to edit the diabled_protos file manually. Mine disabled_protos file is in C:/Documents and Settings/Martin/Application Data/Ethereal.
The file should list the shortnames for the protocols that you want to disable, e.g.:
dlsw
icq
rx
 
From what I understand there is probably another protocol that uses the same port number as the ICQ-dissector is registering (UDP port 4000)
either as source port or destination port.
Maybe Ethereal will dissect the packet with another dissector (based on the other source port or destination port) or based on heuristics
if you disable ICQ protocol.
If you know the protocol of the packet and it is implemented in Ethereal it may be possible to use "Analyze/Decode As..." in Ethereal, or to use
the -d option with Tethereal.
 
I normally disable several protocols that I'm not interested in right after installing Ethereal: Protocols that I know that
are normally not used in the networks I'm analyzing, especially when I know the dissector is registering with a port number
that are used by several different protocols.
 
It may also be possible to improve the ICQ dissector in a way so that it will only accept packets that really looks like ICQ-packets, if there
is some specific things that always should be valid for ICQ packets. I don't know so much about ICQ - so I don't know if that would be good
to do.
 
Best regards,
Martin
 
 
Niklas Abrahamsson (KI/EAB) wrote:

Does anyone have a clue to if and how this could be done? I have tried looking all over but can't seem to find anything that works.
 
I've searched around and found this:
 
"The reason is that the ICQ dissector prints a message to the standard
error if it dissects a packet that doesn't have an ICQ version number it
knows about.  This can happen if non-ICQ UDP traffic to or from port
4000 is in a capture."
 
Which explains why I keep getting the message all the time.
The program I have calls on tethereal to ouput the whole tcpdump-file with "-V" so that I easily can get the information I want. But tethereal still prints out the error message on the screen. I would rather that it output it to the program or even better not output it at all. As it is now my program is slowed down alot by these error messages.