Andrew,

See http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2376

There is a proposed one line fix for that EOH issue,
and I had same question about where is the protocol
specs.

Thanks-Mike


Andrew Feren wrote:
> I've recently started getting a number of false positive hits from the new
> Redback Lawful Intercept heuristic.  I was going to try and tighten up the
> heuristic a bit, but I can't find any sort of protocol specification.
>
> Basically I use some protocols that start with a 32 bit version number. 
> However since the version numers are all well below 65,535 the first two
> bytes are always 0.  The Redback heuristic sees this as an end of header
> marker and returns true.
>
> My thought was to return false if the first avptype is an end of header
> marker, but without a protocol spec I can't be sure that this is actually an
> invalid redback packet.
>
> Anyone have any more details?
>
> -Andrew
>
> -Andrew Feren
>  [EMAIL PROTECTED]
> _______________________________________________
> Wireshark-dev mailing list
> [email protected]
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>   
_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Reply via email to