Wireshark-dev: Re: [Wireshark-dev] How to avoid dissection based on port defined by a different
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Wed, 15 Dec 2010 17:51:18 -0500
Christopher Maynard wrote:
Stephen Fisher <steve@...> writes:

In addition to Christopher Maynard's suggestions, the surest way to fix it is to make both dissectors "new-style" so that they verify that the traffic on the port they're registered on (3503) is the right traffic they're expecting and kick it back to Wireshark so that another dissector can be tried....
I forgot to write:

... if it isn't the right protocol for that dissector

The problem I have with this is that 3503 is registered to MPLS Echo so that
dissector shouldn't have to be changed to essentially become a heuristic one to
accommodate this port-stealing protocol.  It's essentially the same situation as
for bug 1946. (See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1946) We ought to be able to rely on registered ports being reserved for data
applicable to the protocols intended to run atop those ports.  Granted 3503 is
not a so-called "well-known" port, so it differs a little bit from the DNS
situation, but it's basically the same thing.  If we accept this situation, then
potentially we have a lot of dissectors to convert to new-style, and that might
be a lot of work, depending on how extensive the heuristics get.  And then you
can always run into the case when the heuristics fail anyway.  (I say
potentially because I haven't tried to count how many dissectors would be
affected.  I suspect a lot though.)

Well, I agree that protocols "shouldn't" steal ports. But they do. It's Not Right, but should Wireshark be limited to what is Right or what is Reality? (In other words, should the goal be for it to "just work?")

For example, even when protocols don't steal ports, administrators steal/reuse ports: how often do you see web servers on something other than port 80? Okay, maybe not that often on the Internet, but I can probably find dozens of examples at work.

My opinion has been: if Wireshark can figure it out (e.g., heuristically), let's try to do it. I don't think we'll ever be done, but we can keep improving. (Well, except when we can't because we can't come up with good enough heuristics, but that's another story...)