On Thu, Apr 10, 2008 at 10:21:28AM -0400, Jeff Morriss wrote: > Andrew Feren wrote: > >I've recently started getting a number of false positive hits from the new > >Redback Lawful Intercept heuristic. I was going to try and tighten up the > >heuristic a bit, but I can't find any sort of protocol specification. > > > >Basically I use some protocols that start with a 32 bit version number. > >However since the version numers are all well below 65,535 the first two > >bytes are always 0. The Redback heuristic sees this as an end of header > >marker and returns true. > > > >My thought was to return false if the first avptype is an end of header > >marker, but without a protocol spec I can't be sure that this is actually > >an > >invalid redback packet. > > > >Anyone have any more details? > > The dissector came in via > http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2320 > > I'm not sure if Florian is a member of this list or not. Florian, can > you provide some pointers? (What about the Wiki page I asked for after > checking in the dissector?)
I thought about packets beeing all zero after the patch got added
and that might end up beeing taken by the redbackli dissector
accidentally.
I'll try to cook up a patch tonight which checks for the existance of some
"essential" avp's ...
Basically the protocol is non published and i reverse engineered it
from traces. Its a packet header for forwarding lawful intercept traffic
from a RedBack Smartedge Router to some device which passes the traffic
onto some government bodies. To differentiate the different lawful
intercept session one can either use a "label" and/or a "lawful intercept
id". At least one of those two and a sequence number should be present
before an "eoh" avp ...
Attached a simple trace - the traffic is artificial which is the cause
for the udp packet encapsulated being broken ...
Flo
--
Florian Lohoff [EMAIL PROTECTED] +49-171-2280134
Those who would give up a little freedom to get a little
security shall soon have neither - Benjamin Franklin
redbackli-example.pcap
Description: application/cap
signature.asc
Description: Digital signature
_______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
