Adele wrote: > Actually I have talk to some guys who work in OICQ company and according > to them, Thunder and OICQ are competitors and there are not any > co-operations between them. So I am really confused that how I can > capture OICQ packets from Thunder while the OICQ is not running. > Therefore, if it is possible, may I ask how Wireshark works and decide > a packet is an OICQ packet? I mean, besides of the UDP port, are there > any other ways for Wireshark to categorise a packet to be an OICQ packet?
Wireshark, as a network analyzer, uses different methods to classify packets. In the case of OICQ it appears that the OICQ dissector grabs packets on UDP port 8000, does some basic heuristics to check if the packet looks at least vaguely like OICQ, and then decodes the packet as OICQ. Heuristics generally aren't perfect which means the dissector will likely make mistakes. I'd guess in this case that Thunder's packets look enough like OICQ to fool the dissector. If we had some OICQ sample captures (there aren't any on the SampleCaptures page on the Wiki) and some Thunder sample captures, we /might/ be able to strengthen the heuristics of OICQ to not recognize those Thunder packets are OICQ. For the time being you could just disable the OICQ dissector to make these presumably false-positives go away. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
