overzealous tcpros_tcp detection

["Marek 'MMx' Ludha" <mludha () gmail com>]

Hi,

Yesterday I've spent some time figuring out why the http2_tcp heuristic
dissector wasn't working on my particular pcap. Turns out the reason is
that tcpros_tcp was claiming the data before http_tcp could get a turn
(http2_tcp is registered under http despite the _tcp in the name). In
particular the function is_rosmsg in packet-tcpros.c returns true if one
signed gint taken from the message is greater than another one (this is
done by if( string_len > (msg_len - (4 + 8 + 4)) ) return FALSE;) This is
enough for the data to be claimed by tcpros_tcp. For purely statistical
reasons this will match about half of the packets it is given for
detection. I'm assuming that there will be more non-users of the ROS
protocol than there will be users, so I think a better default would be to
have this heuristic disabled by default.

Alternatively I've noticed that this condition attempts to detect a string.
There's one more string detection code in is_rosheaderfield, which also
checks if the string fits within the available data, if its size is
non-negative, and if it consists entirely of alpha-numerical ASCII
characters. I have no idea if at least some of these checks could also be
applied in is_rosmsg, but it should make the heuristic more manageable.

What do you think?

Marek Ludha

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe