I was trying to send some data in TCP\IP protocol, and Wireshark has defined it as IPA protocol. The data was in there, but also some kind of unknown info at the start of the monitored data, data which I don't know and didn't try to send...
did anybody heard about this phenomenon ?
"IPA" is the ip.access "GSM over IP" protocol. That protocol apparently uses ports 3002, 3003, 3006, 4249, 4250, and 5000 over TCP. The ip.access dissector doesn't check whether the packets handed to it look like ip.access packets, so traffic that's not ip.access traffic but that's to or from one of those ports might be incorrectly dissected as ip.access traffic.
This problem is difficult if not impossible to solve in general; neither TCP nor UDP have a "protocol identifier" field to definitively identify the protocol being transported over TCP or UDP, they just have port numbers that, along with the IP host addresses, uniquely specify the communications endpoints. A given port is not guaranteed to carry only traffic for a particular protocol.
In your case, you could try disabling the ip.access dissector, or changing its TCP port number preference to an empty string or a string that doesn't mention the TCP port you're using.
answered 27 Feb '12, 13:27
Guy Harris ♦♦