This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark isn’t recognizing the Skinny protocol

0

Hi,

I am using the latest version of wireshark 1.8.6, after open the packet capture file, in the Protocol column, it shows TCP instead of Skinny, I know this frame is skinny traffic, maybe new bug for wireshark 1.8.6? I can provide screen dump and packet capture file.

Regards

Kevin

asked 12 May '13, 20:02

TAC's gravatar image

TAC
11114
accept rate: 0%

edited 13 May '13, 15:45


One Answer:

1

Wireshark, by default, only recognizes:

  • TCP traffic to and from port 2000;
  • SSL traffic to and from port 2443;

as Skinny traffic. You probably have traffic to or from Yet Another Port, so you'd have to use "Decode As..." to decode it as Skinny traffic.

answered 12 May '13, 23:21

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Hi, Guy

I just checked the wireshark source code here. http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-skinny.c?view=markup It looks like everything is defined in the packet-skinny.c file. How hard to change the wireshark default behavior and let it recognizes the Skinny traffic? I am new to Wireshark development, any guide on the web?

(13 May '13, 00:31) TAC
1

"Recognize" based on what?

Wireshark can automatically recognize traffic for protocols running atop TCP or UDP based on either

  • the TCP or UDP port number;
  • the contents of the packet.

For the former, you'd either have a wired-in set of port numbers and have the dissector register for all those port numbers or have a preference (defaulting to the current set of port numbers) and register for the specified port numbers.

For the latter, you'd have to figure out a pattern in Skinny packets sufficient to recognize all Skinny packets AND sufficient to recognize all packets that aren't Skinny packets and NOT try to dissect them as Skinny packets.

The first of those is easy, but means that the recognition of Skinny packets is only semi-automatic - only a little better than just using "Decode As...". The latter would automatically recognize them, IF it's possible, but is harder, as you'd have to figure out a pattern strong enough to recognize Skinny packets as such and NOT to recognize non-Skinny packets.

(13 May '13, 02:34) Guy Harris ♦♦