Andrew,
See http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2376
There is a proposed one line fix for that EOH issue,
and I had same question about where is the protocol
specs.
Thanks-Mike
Andrew Feren wrote:
I've recently started getting a number of false positive hits from the new
Redback Lawful Intercept heuristic. I was going to try and tighten up the
heuristic a bit, but I can't find any sort of protocol specification.
Basically I use some protocols that start with a 32 bit version number.
However since the version numers are all well below 65,535 the first two
bytes are always 0. The Redback heuristic sees this as an end of header
marker and returns true.
My thought was to return false if the first avptype is an end of header
marker, but without a protocol spec I can't be sure that this is actually an
invalid redback packet.
Anyone have any more details?
-Andrew
-Andrew Feren
acferen@xxxxxxxxx
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev