Hi list,
Some SOCKS expert might want to have a look at this.
Regards,
Olivier
-----Original Message-----
From: Markus Arielus [mailto:account4me@xxxxxxxxxxx]
Subject: [Ethereal-users] (no subject)
There appears to be a problem with the SOCKS V5 decode.
It appears to identify SOCKS traffic by TCP dest 1080, then a version 5
packet by the first byte of the SOCKS packet.
However, for any SOCKS headers that begin with 0x0501 it interprets them as
a client authentication method response of 1 method (null auth). It
improperly decodes V5 connect requests this way (snoop doesn't).
There should be a test for a third V5 byte of 00, this would indicate that
the header is a V5 request, or reply, instead of an authentication
negotiation header.
If the second byte is 01 and there is a third byte (00) then the packet is
either a Connect request or a reply of General Server Failure. The fourth
byte would be the address type followed by the address and port.
I am not a programmer so I would appreciate any contributions to fix this.
I have a nice animated powerpoint of the SOCKS protocol for any volunteers.
