Closed cen1 closed 6 years ago
It's bnftp procotol (tcp.stream eq 5 or right click on packet - Follow TCP stream) which is falsely decoded as bnetp.
What @xpeh-owns says :)
The BNETP client performs FTP transfers to get some files from the server using the same port. If you look at frames 16 to 19, you can see the packets sent by the client to request this "subprotocol".
However, the dissector is attached to the TCP port and, since we don't support this kind of protocol switch, the plugin tries to dissect every frame as part of the same protocol, even if it just contains a piece of a random file.
Isn't there a state per TCP session? Is there some global table and can you get TCP session number in capture file (it's available as filter)?
Wireshark has the concept of conversations to support this kind of use-cases. But I'm not sure if they are available from a Lua dissector.
I forked this repo some time ago to fix a weird problem I encountered in one of my dumps but never had the time to do it. I see the repo is active again so I am reporting it here also.
bnftp_unknown.zip
See the Unknown packet 0x72 and 0x8c.