On Thursday 01 June 2006 12:23, ronnie sahlberg wrote:
> since it is a very rarely used protocol
> the worry would be for false positives.
> if the dissector mistakes common protocols for this one instead.
> I would be ok with its inclusion if its heuristics can be made very
> very strong so the chance of a false positive is very low.
Only the CSP protocol is critical, since the other protocols use a fixed,
32-bit SCTP payload protocol identifier. That is, the probability of a
misidentification is extremely low (1 to 2^32).
CSP uses an UDP port, but the header conatins a type field (1 byte) and a
version number (4 bytes). The dissector checks for a valid version number
(currently, only 0x00000200 is valid) and a valid type (currently, only 0x01
is defined). In combination with the UDP port number, there is an extremely
low probability for a misidentification (40 header bits + 16 bit UDP port
number must match).
> a wiki page and example traces would be looked at positively.
A pcap example trace of the protocols is attached to this mail.
Best regards
--
=======================================================================
Dipl.-Inform. Thomas Dreibholz
University of Essen, Room ES210
Inst. for Experimental Mathematics Ellernstraße 29
Computer Networking Technology Group D-45326 Essen/Germany
-----------------------------------------------------------------------
E-Mail: dreibh@xxxxxxxxxxxxxxxxxxxxx
Homepage: http://www.exp-math.uni-essen.de/~dreibh
=======================================================================
Attachment:
pgpTMRkjiYR0j.pgp
Description: PGP signature
Attachment:
rsplib-protocols.pcap.gz
Description: GZip compressed PCAP traces
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
