On Dec 15, 2010, at 1:46 PM, Christopher Maynard wrote:
> The problem I have with this is that 3503 is registered to MPLS Echo so that
> dissector shouldn't have to be changed to essentially become a heuristic one
> to
> accommodate this port-stealing protocol.
The protocol itself might not be stealing that port; I suspect that the "port
A" in "I have a dissector plugin that is registered with port A." is not port
3503.
However, the OS on the other endpoint might have chosen port 3503 as the port
number for its side of the conversation. OSes *should* (and that might even be
a SHOULD in some RFC - or even a MUST - but I don't know offhand what RFC that
is) choose ports in the ephemeral range (49152 through 65535) if the
application (or library) doesn't explicitly choose a port number, rather than
ports in the well-known range (0 through 1023, often restricted to privileged
users for silly "security" reasons) or the registered range (1024 through
49151). However, that doesn't guarantee that they *do*. When looking for a
port match, we try the lowest port number first, as that's more likely to be a
"real" port - but there isn't any test you can use on port numbers that's
*guaranteed* never to get the wrong answer.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
