On Wed, Oct 23, 2002 at 04:41:59PM +0100, Richard Quadling wrote: > So it seems that information coming in from a POP3 server looks, initially > anyway, like GPRS Tunnelling Protocol information.
No, it seems that Ethereal treats traffic to or from port 2123 as GTP version 1 control PDUs, regardless of whether it really is GTPv1 control traffic or not, and you happened to be unlucky enough to have your POP session use port 2123 on one side of the connection. It does so because that's apparently the default port number for GTP version 1 control PDUs. This is a very broad problem, not at all specific to GTP and/or POP,, and there is no general solution that will make Ethereal *never* misidentify packets. In this particular case, you can disable GTP v1 control plane dissection entirely by setting the "GTPv1 control plane (GTP-C) port" preference to 0 - select "Preferences" from the "Edit" menu, open up the list of protocols by clicking on the "[+]" box labelled "Protocols" on the left pane of the dialog box that pops up, select "GTP" from that list, replace "2123" with "0" in the "GTPv1 control plane (GTP-C) port" preference", click "Save" to save the preferences, and click "OK". It might also be possible to have the GTP dissector reject packets it thinks are sufficiently malformed, e.g. with a bogus message type, although that runs the risk of causing problems if new message types are added to GTP and you look at traffic with those new message types with a version of Ethereal not modified to know about them - instead of getting what dissection would be possible of that new message, you'd get nothing.
