when sniffing unknown traffic, or a new version of some protocol?
dsniff’s decode routines are admittedly pretty sleazy, and cut many corners for the sake of performance (and simplicity – you try fully decomposing all 30+ open / proprietary protocols that dsniff handles!). Additionally, many of the protocols dsniff handles are completely proprietary, and required a bit of reverse engineering which may not have been all that complete or accurate in the face of new protocol versions or extensions. The best way to get new protocols handled by dsniff is to send me traffic traces of a few complete connections / sessions, from start to finish (making sure to capture the packets in their entirety with tcpdump -s 4096, or with Ethereal), along with any pointers to relevant documentation (or client/server implementations). If you’d like to give it a try yourself, add an entry to dsniff’s dsniff.services file to map the traffic you wish to analyze to the “hex” decode routine, and dissect the hexdumps manually.
