On 02/22/14 19:13, Evan Huus wrote:
This came up on a review [1] and I was wondering if there was already
a consensus or if we could easily reach one.
If a dissector checks the captured length and finds that it doesn't
have enough data captured to run its heuristic (assuming there was
enough on the wire for the packet to be valid), should that count as
an auto-pass, or an auto-fail (ie should the heuristic reject the
packet, or assume that it's valid and skip the check)?
My instinct is to count it as a pass; we'll dissect the first few
fields then throw an exception. I suppose there are potentially other
dissectors in line that would actually accept the packet, but then
there might also be cases where there aren't any, and we'd be leaving
it undissected.
The way I've always done it has been that if there is not enough data, I
can't claim it at my protocol. Chances are the message will end up
being dissected as data and if the user's sure it's my protocol s/he
could always Decode-As (bypassing the heuristics). But I'd rather not
claim something I'm not sure is mine.
Of course it generally helps if the heuristics are looking at the first
few bytes of the message...
