Hi, I think your solution is not workaround but quite standard solution in Wireshark. As it is not guaranteed that you have captured whole SSL session it is better to have good heuristic than to relay upon state information.
Mailcode: NdD2sKHg -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sake Blok Sent: Saturday, April 14, 2007 8:20 PM To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] [PATCH] Fix false malformed SSL handshakemessages (Was: Catch 22 in SSL dissector?) On Sat, Apr 14, 2007 at 10:58:18AM -0700, Stephen Fisher wrote: > On Sat, Apr 14, 2007 at 02:35:31PM +0200, Sake Blok wrote: > > > Although I'm still interested in a theoretical answer to the problem > > of keeping state info on a per packet basis (see below), here is a > > workaround for the bug. > > Would this be better fixed using per-packet state information? Uhmm... well, with this workaround there is still a (very slim) chance that the first 4 octets of an encrypted handshake message look like an unencrypted handshake message. I guess the simpleness of this workaround has it's advantages over trying to solve it through per-packet state recording. My suggestion will be to use this patch for now and I will look into solving it with state information. I guess it's a trade-off between being practical and being exact :) Cheers, Sake _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
