Wireshark-dev: Re: [Wireshark-dev] SIP heuristics

From: Lars Roland <lars.roland@xxxxxxx>
Date: Fri, 09 Jun 2006 01:53:46 +0200
Jaap Keuter schrieb:
Hi Lars,

Thanks for picking this up.

What we could do (would help in my situation) is to check if the method
does contain only valid ASCII characters. If not fail as SIP.

Yes, but the definition of "valid chars" makes it difficult. (complicated charset, not easy to check, but heuristics must work fast) However chars >= 0x80 or < 0x20 are not allowed in methods anyway.

Thus we could add a check to the heuristics, which rejects packets, if it finds octets < 0x20 or >= 0x80 before the first space character (0x20). In theory we can still get false positives with this additional check, but at least it makes the heuristics stronger.

I don't have time to work on it on this weekend. Feel free to implement a solution this or any other way. :)

Best regards,

On Thu, 8 Jun 2006, Lars Roland wrote:

//Hello Jaap,

I just subscribed to this list and discoverd your mail in the archive.

The request line starts with the Method. Anything before is not SIP and
shouldn't be marked as such.

Q: Should the heuristics try to discover SIP Packets encapsulated within
unknown data?
IMO it should only discover SIP Packets, when the tvbuff in question
directly starts with a SIP header and contains no unknown leading bytes.
The problem here is, that the Request Line starts with the Method, which
can contain a lot of different ASCII characters. A heuristic, which
detects a SIP Request Line 100% correctly can be very time consuming,
because of the complex charset

As you noticed the SIP heuristics are too weak at the moment. IMO we
should have strong heuristics, which may not detect all syntactically
valid SIP packets, but will never detect false positives. Perhaps we
should limit the heuristic detection to known SIP methods.

Best regards,

From// Jaap Keuter <jaap.keuter@xxxxxxxxx
<mailto:[email protected]>> //Date// Wed, 7 Jun 2006 15:32:25
+0200 (CEST)


Now that the dust is settling (until the user community comes barging in
;) let us slowly get back to the real stuff.

I've got trouble with SIP heuristics. Currently it tries to see if the
packet contains what looks like a few tokens, which are checked to certain
criteria. The trouble is that I've got SIP lines packed up in other
(binary coded) protocols, which do contain NULL characters. Still the SIP
heuristics take that as being part of the request line...... That can't be
right, can it? Shouldn't the heuristics take the UDP/TCP payload and take
the _zero terminated_ string in there to determine if it is a SIP packet
after all?

Your thoughts please,

Wireshark-dev mailing list

Wireshark-dev mailing list