On Sat, Sep 24, 2011 at 8:55 PM, Roland Knall
<rknall@xxxxxxxxx> wrote:
On Sat, Sep 24, 2011 at 9:09 PM, Guy Harris <
guy@xxxxxxxxxxxx> wrote:
>
> On Sep 24, 2011, at 9:58 AM, Chris Maynard wrote:
>
>> Roland Knall <rknall@...> writes:
>>
>>> On a similar topic, how can you mark a package as malformed?
>>> Especially generated packages often fail the openSAFETY dissector, and
>>> marking them as malformed seems to make sense in such cases.
>>
>> Many dissectors make use of the expert infos for this.
>
> ...which is the right way to do it. Doing it by throwing an exception makes errors such as "malformed because field XXX is too short" indistinguishable from "malformed because the packet is missing data at the end", and also means you stop dissecting at that point.
code now, and although they do the trick, the right way should be
malformed in any of these cases.
I will update my code now, and provide a patch for the opensafety
dissector, as soon as I am done.
Roland
Note that the "malformed" filter will match both frames that threw an exception (e.g. because there was data missing) or because Malformed expert info was added by a dissector. I've used Malformed expert info for lots of situations, e.g. non-zero reserved bits, protocol items appearing in the wrong or order, etc.
Martin
