Wireshark dissectors for a particular protocol can be called to dissect packets for a number of reasons:
- The dissector has registered to be called for packets on a particular port, e.g. tcp/389 for LDAP, usually via a preferences setting for the dissector.
- The dissector has registered as a "heuristic" dissector and has determined, possibly incorrectly, that the packets it has been handed are indeed of the expected protocol type.
- The dissector registers has a handler for a particular "type" of data, e.g. "text/plain" and the dissector for a another protocol has determined that the data is of the specified type.
- The user has made a "Decode As .. " setting to decode all packets on a particular Link Type\Network Type\Transport Port as the specified protocol.
- Other ways I've forgotten or didn't even know about.
In summary, yes a dissector can be called for packets that are not of the correct type and various forms of oddness will ensue depending on how the dissector is coded.
answered 24 Nov '15, 04:06
grahamb ♦
19.8k●3●30●206
accept rate: 22%
Thanks Graham, there are no special decode settings, all is default. But if I see successfull bind responses, I guess then it is really ldap, not some other traffic using the same tcp port as ldap's default one? I'd like to show you some screen shots, but don't know how-to...
Analysis by screenshot is ... painful.
You can share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc.
Yes, agree, but I can't share the pcap files. Meanwhile things are clear now; the traffic is indeed LDAP. Thx for your help.
If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.