This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 4 and 5
Revision 4 as of 2005-07-12 18:22:05
Size: 2971
Editor: UlfLamping
Comment: typo
Revision 5 as of 2006-06-05 03:19:10
Size: 2975
Editor: localhost
Comment:
Deletions are marked like this. Additions are marked like this.
Line 22: Line 22:
XXX - Add example traffic here (as plain text or Ethereal screenshot). XXX - Add example traffic here (as plain text or Wireshark screenshot).
Line 24: Line 24:
== Ethereal == == Wireshark ==
Line 35: Line 35:
XXX - Add a simple example capture file to the SampleCaptures page and link from here. Keep it short, it's also a good idea to gzip it to make it even smaller, as Ethereal can open gzipped files automatically. XXX - Add a simple example capture file to the SampleCaptures page and link from here. Keep it short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.
Line 38: Line 38:
A complete list of COTP display filter fields can be found in the [http://www.ethereal.com/docs/dfref/c/cotp.html display filter reference] A complete list of COTP display filter fields can be found in the [http://www.wireshark.org/docs/dfref/c/cotp.html display filter reference]

Connection Oriented Transport Protocol (COTP, ISO 7073)

This is the connection transport protocol of the IsoProtocolFamily.

As most readers nowadays will be more familiar with ["TCP"], COTP is explained comparing both protocols as they are both used to transport users's data reliably over a network.

Packet-based vs. stream-based: COTP transports packets of data from one user to the other, so the receiver will get exactly the same data boundaries as the sender transmitted. ["TCP"] transports a continuous stream of data to the receiver, so the protocol on top of TCP often has to add such boundaries itself (see the ["TPKT"] protocol for such a protocol).

TSAP's vs. ports: To multiplex several conversations between two hosts, COTP uses TSAP's which are variable length binary blobs (often a meaningful string is used). These TAP's are matched at connection establishing phase, and replaced by the 2 byte (destination/source) references at data transfer. TCP uses ports for this. One remarkable difference is that TSAP's are singletons - if a TSAP is used for a connection it cannot be used by another.

History

This protocol has been replaced by ["TCP"] in most applications. Applications that used COTP before, will often use the ["TPKT"] protocol on top of ["TCP"] now.

Protocol dependencies

  • ["CLNP"]: COTP uses ["CLNP"] as its underlying network protocol.

Example traffic

XXX - Add example traffic here (as plain text or Wireshark screenshot).

Wireshark

The COTP dissector is fully functional.

Preference Settings

  • Reassemble segmented COTP datagrams: XXX - add info here
  • Display TSAPs as string or bytes: The TSAP's can be any binary data. Often applications chooses textual representation, so the default setting "As strings if printable" might be a good idea in many cases.

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here. Keep it short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of COTP display filter fields can be found in the [http://www.wireshark.org/docs/dfref/c/cotp.html display filter reference]

  • Show only the COTP based traffic:

     cotp 

    Show only the COTP based traffic, except for the COTP Data (cotp.type == 0x06) and Acknowledge (cotp.type == 0x0f) TPDU's. This way you will only see special packets like connection establishing or expedited data:

     cotp && !(cotp.type == 0x06 || cotp.type == 0x0f) 

Capture Filter

You cannot directly filter COTP protocols while capturing. XXX - add information about capturing of lengths smaller than 1450? bytes or even better ways to capture only COTP.

Discussion

COTP (last edited 2008-04-12 17:51:39 by localhost)