Thanks. I tried to check the bugs this morning, but unfortunately the site was not working for me. I'll check again in a bit.
-Andrew Feren
acferen@xxxxxxxxx
----- Original Message ----
From: Michael A. McCartney <mccart@xxxxxxxxxxxxxxxxxx>
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Sent: Thursday, April 10, 2008 10:04:57 AM
Subject: Re: [Wireshark-dev] Redback Lawful Intercept Dissector
Andrew,
See http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2376
There is a proposed one line fix for that EOH issue,
and I had same question about where is the protocol
specs.
Thanks-Mike
Andrew Feren wrote:
> I've recently started getting a number of false positive hits from the new
> Redback Lawful Intercept heuristic. I was going to try and tighten up the
> heuristic a bit, but I can't find any sort of protocol specification.
>
> Basically I use some protocols that start with a 32 bit version number.
> However since the version numers are all well below 65,535 the first two
> bytes are always 0. The Redback heuristic sees this as an end of header
> marker and returns true.
>
> My thought was to return false if the first avptype is an end of header
> marker, but without a protocol spec I can't be sure that this is actually an
> invalid redback packet.
>
> Anyone have any more details?
>
> -Andrew
>
> -Andrew Feren
> acferen@xxxxxxxxx
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
