Wireshark-dev: Re: [Wireshark-dev] Redback Lawful Intercept Dissector

From: "Michael A. McCartney" <mccart@xxxxxxxxxxxxxxxxxx>
Date: Thu, 10 Apr 2008 09:04:57 -0500
Andrew,

See http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2376

There is a proposed one line fix for that EOH issue,
and I had same question about where is the protocol
specs.

Thanks-Mike


Andrew Feren wrote:
I've recently started getting a number of false positive hits from the new
Redback Lawful Intercept heuristic.  I was going to try and tighten up the
heuristic a bit, but I can't find any sort of protocol specification.

Basically I use some protocols that start with a 32 bit version number. However since the version numers are all well below 65,535 the first two
bytes are always 0.  The Redback heuristic sees this as an end of header
marker and returns true.

My thought was to return false if the first avptype is an end of header
marker, but without a protocol spec I can't be sure that this is actually an
invalid redback packet.

Anyone have any more details?

-Andrew

-Andrew Feren
 acferen@xxxxxxxxx
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev