It seems to be used to check according to very specific destination ports, if we should dissect the messages as client to server or server to client messages. I'm not sure why not just compare the current destination port with the one we've saved in the conversation. This will avoid erroneous dissection of VNC traffic on non-standard port (that was not explicitly defined in the preferences.
BTW, there's no minimum length verification for messages. I'd assume that if we try to dissect traffic as VNC we should probably verify minimal lengths - both SERVER_VERSION and CLIENT_VERSION packets should be EXACTLY 12 bytes long and start with ASCII chars 'RFB '(3 letters and space - hex 52 46 42 20). Moreover, this could also be used to heuristically find VNC traffic on non-standard ports. If agreed, I'll try to follow this with a patch, at least for some of the comments above. Regards, Y.
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
