Andrew Feren wrote:
> I've recently started getting a number of false positive hits from the new
> Redback Lawful Intercept heuristic.  I was going to try and tighten up the
> heuristic a bit, but I can't find any sort of protocol specification.
> 
> Basically I use some protocols that start with a 32 bit version number. 
> However since the version numers are all well below 65,535 the first two
> bytes are always 0.  The Redback heuristic sees this as an end of header
> marker and returns true.
> 
> My thought was to return false if the first avptype is an end of header
> marker, but without a protocol spec I can't be sure that this is actually an
> invalid redback packet.
> 
> Anyone have any more details?

The dissector came in via 
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2320

I'm not sure if Florian is a member of this list or not.  Florian, can 
you provide some pointers?  (What about the Wiki page I asked for after 
checking in the dissector?)
_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Reply via email to