This came up on a review [1] and I was wondering if there was already
a consensus or if we could easily reach one.
If a dissector checks the captured length and finds that it doesn't
have enough data captured to run its heuristic (assuming there was
enough on the wire for the packet to be valid), should that count as
an auto-pass, or an auto-fail (ie should the heuristic reject the
packet, or assume that it's valid and skip the check)?
My instinct is to count it as a pass; we'll dissect the first few
fields then throw an exception. I suppose there are potentially other
dissectors in line that would actually accept the packet, but then
there might also be cases where there aren't any, and we'd be leaving
it undissected.
Thoughts?
Evan
[1] https://code.wireshark.org/review/314
