On Wed, Apr 29, 2009 at 12:06:12AM +0200, Joerg Mayer wrote:
> On Mon, Apr 27, 2009 at 10:14:03PM +0200, Sake Blok wrote:
> > Regarding the Expert Info, since there are packets with all kinds of TTL's and it would take a broader look at all frames to discover the right TTL, I would say it would be a bit tricky to create such an expert info item. Also, filtering on TTL alone won't do it, as you would need to save these frames to a new file first, otherise the bogus frames will still be used for reassembly.
>
> Adding an expert item should be easy: If there's more than one TTL value seen in a single TCP stream, that either means that there are alternate paths with different amounts of hops in there (which is perfectly possible but still worth an info item) or it is some sort of obfuscation, which is also worth an info item. Whether/how to handle that case in the reassemble code is another thing.
Well I didn't look at SniffJoke sources, but if hop count decrease, then packets send by
SniffJoke will reach target system - and smth bad might happen :)
if hop count increase we might be lucky enough and don't recv bogus packets.
