On Wed, 2008-07-30 at 20:07 -0700, Guy Harris wrote:
> On Jul 30, 2008, at 2:12 PM, Stephen Donnelly wrote:
>
> > I recently came across some packets which tcpdump appears to display
> > incorrectly.
> >
> > Is tcpdump incorrectly invoking some heuristic dissector, or is there
> > another reason?
>
> I guess that's what I'd call it.
>
> tcpdump assumes that packets to or from certain ports might be KIP-
> encapsulated AppleTalk packets (KIP = "Kinetics IP"); see the tcpdump
> man page (look for "KIP AppleTalk (DDP in UDP)"), or RFC 1243:
>
> 4.7. The Kinetics Internet Protocol Group
>
> The Kinetics Internet Protocol (KIP) is a protocol for encapsulating
> and routing AppleTalk datagrams over an IP internet. This name is
> historical. The KIP group manages the KIP routing protocol as well
> as the routing tables generated by this protocol.
>
> It uses a heuristic to check, but the heuristic is really weak (it
> checks whether, if the payload were an AppleTalk LLAP packet, the type
> would be DDP, so it checks one count 'em one byte in the entire
> payload).
Okay, the explanation makes sense. We just had bad luck with our
packets looking like candidates for KIP.
Tcpdump doesn't have a way of configuring/disabling heuristic dissectors
like this, without hacking the code?
Stephen.
--
-----------------------------------------------------------------------
Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED]
Endace Technology Ltd phone: +64 7 839 0540
Hamilton, New Zealand cell: +64 21 1104378
-----------------------------------------------------------------------
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
