Wireshark mailing list archives
Re: False-Positives handling with heuristic filters
From: Evan Huus <eapache () gmail com>
Date: Tue, 2 Sep 2014 07:28:03 -0400
On Sep 2, 2014, at 2:13, Roland Knall <rknall () gmail com> wrote: Hi I have a more general question: At what point do you stop carrying about false-positives with a heuristic filter?
Historically it's been "when people stop filing bug reports". I haven't seen any bug reports of type "my protocol X is getting dissected as openSAFETY instead", so I think you're ok :)
I have openSAFETY traces, where less then 0,2% of all displayed frames are false-positives. But I cannot finetune the heuristic anymore, or I increase the risk for getting false-negatives. Is there a point in fine-tuning down to an ideal 0% or do you just say, a certain number of false-positives should be considered ok? There are two approaches left for me, to further down the number, first being, that I rewrite the CRC calculation and include it in the heuristic search for frame 2. This might increase the time the dissection needs to filter. The second approach is to include a preference, and filter out certain number in a field, because they highly suggest a false-positive. Both approaches would complicate the development of openSAFETY device, because you would no longer see false messages which might occur during development. Has anyone got some ideas here? regards, Roland ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- False-Positives handling with heuristic filters Roland Knall (Sep 01)
- Re: False-Positives handling with heuristic filters Evan Huus (Sep 02)