Wireshark mailing list archives

Re: Heuristic check of T.125 dissector

From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Mon, 24 Feb 2014 17:17:08 -0500

On 02/22/14 19:15, Thomas Wiens wrote:

Hi,

I've written a wireshark dissector for communication between industrial
control systems, which come as payload of cotp packets.
But the packets are displayed as T.125 protocol, until I disable this
protocol in wireshark settings to get my own dissector working.

[...]

So the second check (reminescence to Douglas Adams?) with the magical 42
comes in:
(choice_index <=42)

The check is marked with a comment:
/* is this strong enough ? */

And I would answer: No, it is not.

I've taken a look into the relevant source file "packet-per.c", where
"choice_index" is the function parameter "val".
But "val" is several times calculated, shifted and so on, that I don't
know what value comes out.

Is there a possibilitiy to make the heuristic check of the T.125
protocol stronger?

Without knowing the protocol, I'd say there's almost always room forimprovement. Open a bug with a sample capture and see if someone canfigure out how to strengthen the check.

ps. you mentioned your dissector is hosted on sourceforge; would youconsider submitting it to Wireshark?


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Heuristic check of T.125 dissector Thomas Wiens (Feb 22)
- Re: Heuristic check of T.125 dissector Jeff Morriss (Feb 24)
  - Re: Heuristic check of T.125 dissector Thomas Wiens (Feb 25)
    - Re: Heuristic check of T.125 dissector ronnie sahlberg (Feb 25)