False-Positives handling with heuristic filters

[Roland Knall <rknall () gmail com>]

Hi

I have a more general question: At what point do you stop carrying about
false-positives with a heuristic filter?

I have openSAFETY traces, where less then 0,2% of all displayed frames are
false-positives. But I cannot finetune the heuristic anymore, or I increase
the risk for getting false-negatives.

Is there a point in fine-tuning down to an ideal 0% or do you just say, a
certain number of false-positives should be considered ok?

There are two approaches left for me, to further down the number, first
being, that I rewrite the CRC calculation and include it in the heuristic
search for frame 2. This might increase the time the dissection needs to
filter. The second approach is to include a preference, and filter out
certain number in a field, because they highly suggest a false-positive.

Both approaches would complicate the development of openSAFETY device,
because you would no longer see false messages which might occur during
development.

Has anyone got some ideas here?

regards,
Roland

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe