Wireshark mailing list archives
Heuristic check of T.125 dissector
From: Thomas Wiens <th.wiens () gmx de>
Date: Sun, 23 Feb 2014 01:15:22 +0100
Hi, I've written a wireshark dissector for communication between industrial control systems, which come as payload of cotp packets. But the packets are displayed as T.125 protocol, until I disable this protocol in wireshark settings to get my own dissector working. For myself I have no problem with this, but I have hosted this project at sourceforge and there are other users of this plugin, so it would be nice when it could be fixed. I have checked the relevant source files for the T.125 dissector: /asn1/t125/packet-t125-template.c The first heuristic check is: (ber_class==BER_CLASS_APP) && ((tag>=101) && (tag<=104))) The first "ber" checking could not be the problem, because it checks only the first byte of the cotp-payload, and my the first byte of my protocol is always 0x32. And (0x32 >> 6) & 0x03 is not equal to BER_CLASS_APP, which is 1. So the second check (reminescence to Douglas Adams?) with the magical 42 comes in: (choice_index <=42) The check is marked with a comment: /* is this strong enough ? */ And I would answer: No, it is not. I've taken a look into the relevant source file "packet-per.c", where "choice_index" is the function parameter "val". But "val" is several times calculated, shifted and so on, that I don't know what value comes out. Is there a possibilitiy to make the heuristic check of the T.125 protocol stronger? -- Thomas Wiens ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Heuristic check of T.125 dissector Thomas Wiens (Feb 22)
- Re: Heuristic check of T.125 dissector Jeff Morriss (Feb 24)
- Re: Heuristic check of T.125 dissector Thomas Wiens (Feb 25)
- Re: Heuristic check of T.125 dissector ronnie sahlberg (Feb 25)
- Re: Heuristic check of T.125 dissector Thomas Wiens (Feb 25)
- Re: Heuristic check of T.125 dissector Jeff Morriss (Feb 24)