Wireshark-dev: Re: [Wireshark-dev] False positive from the new "Look for incomplete dissectors"
From: Anders Broman <[email protected]>
Date: Thu, 12 Feb 2015 18:18:54 +0100


Den 12 feb 2015 16:46 skrev "Dario Lombardo" <[email protected]>:
>
> Hi Anders
> If you carefully have a look at the bytes, you can notice that the 2 bytes reported by the logs are claimed by the SIP dissector, but they're not decoded. 
> Until SIP/2.0, bytes are decoded (address up to 0x0040+12). 
> From "Max-Forward" and beyond (address 0x0040+15) they are decoded. 
>
> Addresses 0x0040 +13 and +14 are not decoded. That's exactly what I would have expected. If you click on them, the entire "SIP - REGISTER" is highlighted.
>
> It is related to the textual nature of sip... the 2 undecoded bytes are 0x0d0a (CR+NL). A char sequence that not only is allowed in sip, but AFAIK, can also be repeated multiple times. 
>
> As told the algorithm is not perfect and I will have to take care of special cases like that. I will have a look at the sip dissector to understand how to threat those text protocols (maybe many others are around... like HTTP :)).
>
> Thanks for having pointed it out.

I suspected as much, but I think all the sip lines skip the CRLF...
>
> On Thu, Feb 12, 2015 at 4:32 PM, Anders Broman <[email protected]> wrote:
>>
>> Hi,
>>
>> The enclosed frame shows what I think is a false positive.
>>
>> Regards
>>
>> Anders
>>
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-dev mailing list <[email protected]xxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>              mailto:[email protected]?subject=unsubscribe
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <[email protected]>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:[email protected]?subject=unsubscribe