Re: catching [Malformed Packet]

[Martin Mathieson <martin.r.mathieson () googlemail com>]

On Sat, Sep 24, 2011 at 8:55 PM, Roland Knall <rknall () gmail com> wrote:

> On Sat, Sep 24, 2011 at 9:09 PM, Guy Harris <guy () alum mit edu> wrote:
> > On Sep 24, 2011, at 9:58 AM, Chris Maynard wrote:
> >
> > > Roland Knall <rknall@...> writes:
> > >
> > > > On a similar topic, how can you mark a package as malformed?
> > > > Especially generated packages often fail the openSAFETY dissector, and
> > > > marking them as malformed seems to make sense in such cases.
> > >
> > > Many dissectors make use of the expert infos for this.
> >
> > ...which is the right way to do it.  Doing it by throwing an exception
> makes errors such as "malformed because field XXX is too short"
> indistinguishable from "malformed because the packet is missing data at the
> end", and also means you stop dissecting at that point.
>
> That is the reason I am asking. I have quite a few assertions in my
> code now, and although they do the trick, the right way should be
> malformed in any of these cases.
>
> I will update my code now, and provide a patch for the opensafety
> dissector, as soon as I am done.
>
> Roland
Note that the "malformed" filter will match both frames that threw an
exception (e.g. because there was data missing) or because Malformed expert
info was added by a dissector.  I've used Malformed expert info for lots of
situations, e.g. non-zero reserved bits,  protocol items appearing in the
wrong or order, etc.

Martin

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe