Re: [Wireshark-dev] False positive from the new Look for incomplete dissectors function.

On Fri, Feb 13, 2015 at 5:15 PM, Jeff Morriss jeff.morriss...@gmail.com wrote: I have to admit that I like being able to click on a byte and see what field it maps to. From that perspective I like when padding is claimed by the dissector which knew it was padding. And when CR+NL are claimed

Re: [Wireshark-dev] False positive from the new Look for incomplete dissectors function.

On Thu, Feb 12, 2015 at 6:18 PM, Anders Broman a.broma...@gmail.com wrote: I suspected as much, but I think all the sip lines skip the CRLF... What about adding the skipped bytes as hidden, labeled as unused bytes? ___

Re: [Wireshark-dev] False positive from the new Look for incomplete dissectors function.

Den 13 feb 2015 09:45 skrev Dario Lombardo dario.lombardo...@gmail.com: On Thu, Feb 12, 2015 at 6:18 PM, Anders Broman a.broma...@gmail.com wrote: I suspected as much, but I think all the sip lines skip the CRLF... What about adding the skipped bytes as hidden, labeled as unused bytes?

Re: [Wireshark-dev] False positive from the new Look for incomplete dissectors function.

On Fri, Feb 13, 2015 at 10:14 AM, Anders Broman a.broma...@gmail.com wrote: First thought is, unnecessary processing to satisfy this new functionality, which frankly I have my doubts about... I have the same feeling. But I can't figure out something else so far.

Re: [Wireshark-dev] False positive from the new Look for incomplete dissectors function.

From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Dario Lombardo Sent: den 13 februari 2015 10:18 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] False positive from the new Look for incomplete dissectors function

Re: [Wireshark-dev] False positive from the new Look for incomplete dissectors function.

: *From:* wireshark-dev-boun...@wireshark.org [mailto: wireshark-dev-boun...@wireshark.org] *On Behalf Of *Dario Lombardo *Sent:* den 13 februari 2015 10:18 *To:* Developer support list for Wireshark *Subject:* Re: [Wireshark-dev] False positive from the new Look for incomplete dissectors

Re: [Wireshark-dev] False positive from the new Look for incomplete dissectors function.

On 02/13/15 04:14, Anders Broman wrote: Den 13 feb 2015 09:45 skrev Dario Lombardo dario.lombardo...@gmail.com mailto:dario.lombardo...@gmail.com: On Thu, Feb 12, 2015 at 6:18 PM, Anders Broman a.broma...@gmail.com mailto:a.broma...@gmail.com wrote: I suspected as much, but I think

[Wireshark-dev] False positive from the new Look for incomplete dissectors function.

Hi, The enclosed frame shows what I think is a false positive. Regards Anders sip_register.pcapng Description: sip_register.pcapng ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:

Re: [Wireshark-dev] False positive from the new Look for incomplete dissectors function.

Den 12 feb 2015 16:46 skrev Dario Lombardo dario.lombardo...@gmail.com: Hi Anders If you carefully have a look at the bytes, you can notice that the 2 bytes reported by the logs are claimed by the SIP dissector, but they're not decoded. Until SIP/2.0, bytes are decoded (address up to

Re: [Wireshark-dev] False positive from the new Look for incomplete dissectors function.

Hi Anders If you carefully have a look at the bytes, you can notice that the 2 bytes reported by the logs are claimed by the SIP dissector, but they're not decoded. Until SIP/2.0, bytes are decoded (address up to 0x0040+12). From Max-Forward and beyond (address 0x0040+15) they are decoded.