On Sat, Sep 24, 2011 at 8:55 PM, Roland Knall <[email protected]> wrote:
> On Sat, Sep 24, 2011 at 9:09 PM, Guy Harris <[email protected]> wrote: > > > > On Sep 24, 2011, at 9:58 AM, Chris Maynard wrote: > > > >> Roland Knall <rknall@...> writes: > >> > >>> On a similar topic, how can you mark a package as malformed? > >>> Especially generated packages often fail the openSAFETY dissector, and > >>> marking them as malformed seems to make sense in such cases. > >> > >> Many dissectors make use of the expert infos for this. > > > > ...which is the right way to do it. Doing it by throwing an exception > makes errors such as "malformed because field XXX is too short" > indistinguishable from "malformed because the packet is missing data at the > end", and also means you stop dissecting at that point. > > That is the reason I am asking. I have quite a few assertions in my > code now, and although they do the trick, the right way should be > malformed in any of these cases. > > I will update my code now, and provide a patch for the opensafety > dissector, as soon as I am done. > > Roland > > Note that the "malformed" filter will match both frames that threw an exception (e.g. because there was data missing) or because Malformed expert info was added by a dissector. I've used Malformed expert info for lots of situations, e.g. non-zero reserved bits, protocol items appearing in the wrong or order, etc. Martin
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
