Re: Protocol coverage metrics...

["Webmaster 003" <webmaster () networkdefense biz>]

Do you feel this is canonical, or would others have widely different  
results?


On Thu, 19 Mar 2009 18:10:17 -0500, kowsik <kowsik () gmail com> wrote:

> If all you have is a pcap with some protocol packets in it, how would
> you know how much of the actual protocol specification (the possible
> set of fields that the packets could carry) is being covered? This is
> a useful metric to have when writing a dissector or IPS/DPI
> signatures. This is much in the spirit of code coverage.
>
> We used the Wireshark dissector documentation as the authoritative
> reference and then indexed all the protocol fields in the repository
> to see where we stand. You can check it out here:
>
> http://www.pcapr.net/browse/fields
>
> Besides, the index makes searching for pcaps with specific fields a
> whole lot easier. Looking for a SIP pcap that contains the
> WWW-Authenticate header? No problem, just type in
> "field:sip.www.authenticate" in the search bar and off you go. How
> about chunked-encoded HTTP stream with exploit.php? Search for
> "field:http.transfer.encoding AND exploit.php".
>
> Enjoy,
>
> K.



--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/