> On Sep 2, 2014, at 2:13, Roland Knall <[email protected]> wrote: > > Hi > > I have a more general question: At what point do you stop carrying about > false-positives with a heuristic filter?
Historically it's been "when people stop filing bug reports". I haven't seen any bug reports of type "my protocol X is getting dissected as openSAFETY instead", so I think you're ok :) > I have openSAFETY traces, where less then 0,2% of all displayed frames are > false-positives. But I cannot finetune the heuristic anymore, or I increase > the risk for getting false-negatives. > > Is there a point in fine-tuning down to an ideal 0% or do you just say, a > certain number of false-positives should be considered ok? > > There are two approaches left for me, to further down the number, first > being, that I rewrite the CRC calculation and include it in the heuristic > search for frame 2. This might increase the time the dissection needs to > filter. The second approach is to include a preference, and filter out > certain number in a field, because they highly suggest a false-positive. > > Both approaches would complicate the development of openSAFETY device, > because you would no longer see false messages which might occur during > development. > > Has anyone got some ideas here? > > regards, > Roland > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
