Wireshark mailing list archives
Insufficient Data for Heuristic
From: Evan Huus <eapache () gmail com>
Date: Sat, 22 Feb 2014 19:13:38 -0500
This came up on a review [1] and I was wondering if there was already a consensus or if we could easily reach one. If a dissector checks the captured length and finds that it doesn't have enough data captured to run its heuristic (assuming there was enough on the wire for the packet to be valid), should that count as an auto-pass, or an auto-fail (ie should the heuristic reject the packet, or assume that it's valid and skip the check)? My instinct is to count it as a pass; we'll dissect the first few fields then throw an exception. I suppose there are potentially other dissectors in line that would actually accept the packet, but then there might also be cases where there aren't any, and we'd be leaving it undissected. Thoughts? Evan [1] https://code.wireshark.org/review/314 ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Insufficient Data for Heuristic Evan Huus (Feb 22)
- Re: Insufficient Data for Heuristic Guy Harris (Feb 22)
- Re: Insufficient Data for Heuristic Evan Huus (Feb 22)
- Re: Insufficient Data for Heuristic Jeff Morriss (Feb 24)
- Re: Insufficient Data for Heuristic Guy Harris (Feb 22)