checked in
i agree that checking the udp port and 5 bytes of payload should be
adequate protection against false positives
can you create a wiki page for these protocols as well? it is very
nice with wiki pages for protocols.
On 6/1/06, Thomas Dreibholz <dreibh@xxxxxxxxxxxxxx> wrote:
On Thursday 01 June 2006 12:23, ronnie sahlberg wrote:
> since it is a very rarely used protocol
> the worry would be for false positives.
> if the dissector mistakes common protocols for this one instead.
> I would be ok with its inclusion if its heuristics can be made very
> very strong so the chance of a false positive is very low.
Only the CSP protocol is critical, since the other protocols use a fixed,
32-bit SCTP payload protocol identifier. That is, the probability of a
misidentification is extremely low (1 to 2^32).
CSP uses an UDP port, but the header conatins a type field (1 byte) and a
version number (4 bytes). The dissector checks for a valid version number
(currently, only 0x00000200 is valid) and a valid type (currently, only 0x01
is defined). In combination with the UDP port number, there is an extremely
low probability for a misidentification (40 header bits + 16 bit UDP port
number must match).
> a wiki page and example traces would be looked at positively.
A pcap example trace of the protocols is attached to this mail.
Best regards
--
=======================================================================
Dipl.-Inform. Thomas Dreibholz
University of Essen, Room ES210
Inst. for Experimental Mathematics Ellernstraße 29
Computer Networking Technology Group D-45326 Essen/Germany
-----------------------------------------------------------------------
E-Mail: dreibh@xxxxxxxxxxxxxxxxxxxxx
Homepage: http://www.exp-math.uni-essen.de/~dreibh
=======================================================================
