Wireshark-dev: Re: [Wireshark-dev] Patch: dissectors for the rsplib test programs

From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Fri, 9 Jun 2006 21:47:16 +0000
checked in

i agree that checking the udp port and 5 bytes of payload should be
adequate protection against false positives

can you create a wiki page for these protocols as well?   it is very
nice with wiki pages for protocols.

On 6/1/06, Thomas Dreibholz <dreibh@xxxxxxxxxxxxxx> wrote:
On Thursday 01 June 2006 12:23, ronnie sahlberg wrote:
> since it is a very rarely used protocol
> the worry would be for false positives.
> if the dissector mistakes common protocols for this one instead.
> I would be ok with its inclusion if its heuristics can be made very
> very strong so the chance of a false positive is very low.

Only the CSP protocol is critical, since the other protocols use a fixed,
32-bit SCTP payload protocol identifier. That is, the probability of a
misidentification is extremely low (1 to 2^32).

CSP uses an UDP port, but the header conatins a type field (1 byte) and a
version number (4 bytes). The dissector checks for a valid version number
(currently, only 0x00000200 is valid) and a valid type (currently, only 0x01
is defined). In combination with the UDP port number, there is an extremely
low probability for a misidentification (40 header bits + 16 bit UDP port
number must match).

> a wiki page   and  example traces would be looked at positively.

A pcap example trace of the protocols is attached to this mail.

Best regards
 Dipl.-Inform. Thomas Dreibholz

 University of Essen,                            Room ES210
 Inst. for Experimental Mathematics              Ellernstraße 29
 Computer Networking Technology Group            D-45326 Essen/Germany
 E-Mail:     dreibh@xxxxxxxxxxxxxxxxxxxxx
 Homepage:   http://www.exp-math.uni-essen.de/~dreibh