I've recently started getting a number of false positive hits from the new Redback Lawful Intercept heuristic. I was going to try and tighten up the heuristic a bit, but I can't find any sort of protocol specification.
Basically I use some protocols that start with a 32 bit version number. However since the version numers are all well below 65,535 the first two bytes are always 0. The Redback heuristic sees this as an end of header marker and returns true. My thought was to return false if the first avptype is an end of header marker, but without a protocol spec I can't be sure that this is actually an invalid redback packet. Anyone have any more details? -Andrew -Andrew Feren [EMAIL PROTECTED] _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
