Thanks. I tried to check the bugs this morning, but unfortunately the site was not working for me. I'll check again in a bit. -Andrew Feren [EMAIL PROTECTED]
----- Original Message ---- From: Michael A. McCartney <[EMAIL PROTECTED]> To: Developer support list for Wireshark <[email protected]> Sent: Thursday, April 10, 2008 10:04:57 AM Subject: Re: [Wireshark-dev] Redback Lawful Intercept Dissector Andrew, See http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2376 There is a proposed one line fix for that EOH issue, and I had same question about where is the protocol specs. Thanks-Mike Andrew Feren wrote: > I've recently started getting a number of false positive hits from the new > Redback Lawful Intercept heuristic. I was going to try and tighten up the > heuristic a bit, but I can't find any sort of protocol specification. > > Basically I use some protocols that start with a 32 bit version number. > However since the version numers are all well below 65,535 the first two > bytes are always 0. The Redback heuristic sees this as an end of header > marker and returns true. > > My thought was to return false if the first avptype is an end of header > marker, but without a protocol spec I can't be sure that this is actually an > invalid redback packet. > > Anyone have any more details? > > -Andrew > > -Andrew Feren > [EMAIL PROTECTED] > _______________________________________________ > Wireshark-dev mailing list > [email protected] > http://www.wireshark.org/mailman/listinfo/wireshark-dev > _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
