Wireshark-dev: Re: [Wireshark-dev] Using "ip.id" for dissector_add
From: Michael Tüxen <[email protected]>
Date: Tue, 1 Jan 2008 13:46:45 +0100
Dear all,

comments in-line.

Best regards

On Jan 1, 2008, at 12:56 PM, Guy Harris wrote:

Lars Friedrichs wrote:

thanks for your reply. I know that the protocol is really misbehaving in
several ways but I am not the one who wrote it nor the one who may
change it. But from your answer I can conclude that it is not possible
to do so?!

Is the implementation of the protocol assuming that the only other
implementations of the protocol with which it exchanges packets assigns
the identification field in such a fashion as not to put arbitrary
values into the IP identification field? And, therefore, is it assuming
that, for example, this will cause no problems if any routers between
the source and destination fragment any packets?

If so, then the designer of the protocol really needs to study RFC 791
until their eyeballs bleeed.

If you really need to dissect such an utterly broken protocol, you could try adding to the IP dissector code to have an "ip.id" dissector table.
but make sure that your dissector is not handling by accident a
packet from a different protocol... Not sure how that can be done,
it depends on the protocol.
Wireshark-dev mailing list
[email protected]