https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5727
Chris Maynard <christopher.maynard@xxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #7595|review_for_checkin? |
Flag| |
Attachment #7595|0 |1
is obsolete| |
Attachment #7596| |review_for_checkin?
Flag| |
--- Comment #3 from Chris Maynard <christopher.maynard@xxxxxxxxx> 2011-12-18 10:10:25 PST ---
Created an attachment (id=7596)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7596)
Tighten up conversation port matching even more once the 2nd port is known.
After some further testing, I found a capture file in the menagerie that
convinced me to try to tighten up the port matching even further. The file is
sniffer_cybercop_scan.cap and it basically contains a port scan.
The following scenario incorrectly indicated frame 2455 as TFTP:
Frame 2454: srcport 2462 -> destport 69
Frame 2455: srcport 2462 -> destport 71
This is because the conversation was setup with port 2462 and any other port;
however, in this case 2462 was the source port so the next packet in the
conversation should have 2462 as the destination port, not as the source port
again. The attached patch therefore accounts for this by only matching the
source port of the 1st half of the conversation establishment with the
destination port of the 2nd half of the conversation establishment and bailing
out otherwise.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
