NFS4 uses port 2049, it is RPC service, but does not use portmapper. So
port detection based on RPC portmapper does not work for this RPC service
because there is no portmapper traffic.
And if traffic is between some SSL service port (e.g. 993) and NFS4 port
2049 then the packet is decoded as SSL. Note that for NFS traffic it common
that client port is below 1024, and so there is a high chance to choose
some SSL service port.
Fix this problem and explicitly register also TCP port 2049 for RPC
dissector, like it is already done for TCP port 111 (used by RCP portmapper
service).
With this change TCP traffic between ports 993 and 2049 is decoded as NFS4.
---
epan/dissectors/packet-rpc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/epan/dissectors/packet-rpc.c b/epan/dissectors/packet-rpc.c
index c798d19bb47f..777a041125ce 100644
--- a/epan/dissectors/packet-rpc.c
+++ b/epan/dissectors/packet-rpc.c
@@ -59,6 +59,7 @@ void proto_register_rpc(void);
void proto_reg_handoff_rpc(void);
#define RPC_TCP_PORT 111
+#define NFS4_TCP_PORT 2049
#define RPC_UDP 0
#define RPC_TCP 1
@@ -4476,6 +4477,9 @@ proto_reg_handoff_rpc(void)
dissector_add_uint_with_preference("udp.port", RPC_TCP_PORT,
rpc_handle);
dissector_add_string("tls.alpn", "sunrpc", rpc_tls_handle);
+ /* tcp port 2049 is used by NFS4, it is onc-rpc service, but does not
use portmapper */
+ dissector_add_uint_with_preference("tcp.port", NFS4_TCP_PORT,
rpc_tcp_handle);
+
heur_dissector_add("tcp", dissect_rpc_tcp_heur, "RPC over TCP",
"rpc_tcp", proto_rpc, HEURISTIC_ENABLE);
heur_dissector_add("udp", dissect_rpc_heur, "RPC over UDP", "rpc_udp",
proto_rpc, HEURISTIC_ENABLE);
heur_dissector_add("tls", dissect_rpc_tls_heur, "RPC with TLS",
"rpc_tls", proto_rpc, HEURISTIC_ENABLE);
--
2.20.1
_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@wireshark.org
To unsubscribe send an email to wireshark-dev-le...@wireshark.org
