On Wed, Apr 29, 2009 at 12:06:12AM +0200, Joerg Mayer wrote: > On Mon, Apr 27, 2009 at 10:14:03PM +0200, Sake Blok wrote: > > Regarding the Expert Info, since there are packets with all kinds of TTL's > > and it would take a broader look at all frames to discover the right TTL, I > > would say it would be a bit tricky to create such an expert info item. > > Also, filtering on TTL alone won't do it, as you would need to save these > > frames to a new file first, otherise the bogus frames will still be used > > for reassembly. > > Adding an expert item should be easy: If there's more than one TTL value seen > in a single TCP stream, that either means that there are alternate paths with > different amounts of hops in there (which is perfectly possible but still > worth an info item) or it is some sort of obfuscation, which is also worth an > info item. Whether/how to handle that case in the reassemble code is another > thing.
Well I didn't look at SniffJoke sources, but if hop count decrease, then packets send by SniffJoke will reach target system - and smth bad might happen :) if hop count increase we might be lucky enough and don't recv bogus packets. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe