Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Appropriate action on a protocol failure?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 10 Nov 2009 00:07:15 -0800

On Nov 9, 2009, at 1:24 PM, J.C. Wren wrote:

My protocol payloads consists of one or more TLV (Type-Length- Values) sequences. The dissector decodes the various TLVs. Values represent various parameters to a commands. Right now if a value is out of range, I use DISSECTOR_ASSERT() for the test. I know this isn't the best way to do it, but I don't know what it is.

Put an "expert info" entry in, indicating that something's wrong with the packet.

I do want to stop decoding the packet at this point, since it's likely everything following it is munged.

Or not.

I would continue dissection, as you don't *know* that everything following it is munged - it might just be a TLV for which you haven't updated the dissector yet. That's what most dissectors do - whether the add an "expert info" entry or not, they don't just stop dissecting; generally, they only stop dissecting if it's *impossible* to continue dissecting. If the T is invalid, you still have an L, so just dissect the appropriate number of bytes as an opaque blob for an unknown TLV and skip to what would be the next TLV. If the V is invalid, just skip to the next TLV, again.