This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Data which has been sent over TCP\IP has been recognized by wireshark as “IPA” Protocol

0

Hey

I was trying to send some data in TCP\IP protocol, and Wireshark has defined it as IPA protocol. The data was in there, but also some kind of unknown info at the start of the monitored data, data which I don't know and didn't try to send...

did anybody heard about this phenomenon ?

thx

kobi

asked 27 Feb '12, 03:25

kobi1209's gravatar image

kobi1209
1111
accept rate: 0%

edited 27 Feb '12, 04:19

Jaap's gravatar image

Jaap ♦
11.7k16101


One Answer:

2

"IPA" is the ip.access "GSM over IP" protocol. That protocol apparently uses ports 3002, 3003, 3006, 4249, 4250, and 5000 over TCP. The ip.access dissector doesn't check whether the packets handed to it look like ip.access packets, so traffic that's not ip.access traffic but that's to or from one of those ports might be incorrectly dissected as ip.access traffic.

This problem is difficult if not impossible to solve in general; neither TCP nor UDP have a "protocol identifier" field to definitively identify the protocol being transported over TCP or UDP, they just have port numbers that, along with the IP host addresses, uniquely specify the communications endpoints. A given port is not guaranteed to carry only traffic for a particular protocol.

In your case, you could try disabling the ip.access dissector, or changing its TCP port number preference to an empty string or a string that doesn't mention the TCP port you're using.

answered 27 Feb '12, 13:27

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%