wireshark-dev October 2010 archive
Main Archive Page > Month Archives  > wireshark-dev archives
wireshark-dev: Re: [Wireshark-dev] SVN revision 34640 and heuris

Re: [Wireshark-dev] SVN revision 34640 and heuristic dissectors

From: Jeff Morriss <jeff.morriss.ws_at_nospam>
Date: Mon Oct 25 2010 - 17:18:15 GMT
To: Developer support list for Wireshark <wireshark-dev@wireshark.org>

Pascal Quantin wrote:
> Hi
>
> 2010/10/25 Pascal Quantin <pascal.quantin@gmail.com
> <mailto:pascal.quantin@gmail.com>>
>
> Hi,
>
> 2010/10/25 Jeff Morriss <jeff.morriss.ws
> <http://jeff.morriss.ws>@gmail.com <http://gmail.com>>
>
> Pascal Quantin wrote:
> > Hi,
> >
> > since revision 34640, none of UDP heuristic dissectors I use
> (LTE-MAC,
> > LTE-RLC or LTE-PDCP) work: all the frames are decoded as ADwin
> > configuration protocol.
> >
> > When looking at the code in function dissect_adwin_config() (file
> > packet-adwin-config.c), the heuristic seems a bit weak:
> > [...]
> > length = tvb_reported_length(tvb);
> >
> > if (pinfo->ipproto == IP_PROTO_UDP &&
> > ! (length == UDPStatusLENGTH
> > || length == UDPExtStatusLENGTH
> > || length == UDPMessageLENGTH
> > || length == UDPMessageLENGTH_wrong
> > || length == UDPInitAckLENGTH
> > || length == UDPIXP425FlashUpdateLENGTH
> > || length == UDPOutLENGTH))
> > return (0);
> > [...]
> >
> > Could it be possible to do something more robust ?
>
> Oops, sorry. We're discussing some stronger heuristics in bug 5324.
>
>
> While you iterate on it, would it be possible to add a preference
> (off by default) stating whether the ADwin heuristic dissectors are
> activated or not (like what is done in packet-mac-lte.c for example) ?
>
>
> Having a second look at the code, it's even worse than what I first
> thought. Any pinfo->ipproto different from IP_PROTO_UDP or IP_PROTO_TCP
> will be intercepted by the ADwin dissector.
>
> Adding something like:
>
> if (pinfo->ipproto != IP_PROTO_UDP && pinfo->ipproto != IP_PROTO_TCP)
> return (0);
>
> Solved the issue on my side.

Checked in rev 34644, thanks!
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe