Wireshark mailing list archives
Re: Insufficient Data for Heuristic
From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Mon, 24 Feb 2014 17:14:58 -0500
On 02/22/14 19:13, Evan Huus wrote:
This came up on a review [1] and I was wondering if there was already a consensus or if we could easily reach one. If a dissector checks the captured length and finds that it doesn't have enough data captured to run its heuristic (assuming there was enough on the wire for the packet to be valid), should that count as an auto-pass, or an auto-fail (ie should the heuristic reject the packet, or assume that it's valid and skip the check)? My instinct is to count it as a pass; we'll dissect the first few fields then throw an exception. I suppose there are potentially other dissectors in line that would actually accept the packet, but then there might also be cases where there aren't any, and we'd be leaving it undissected.
The way I've always done it has been that if there is not enough data, I can't claim it at my protocol. Chances are the message will end up being dissected as data and if the user's sure it's my protocol s/he could always Decode-As (bypassing the heuristics). But I'd rather not claim something I'm not sure is mine.
Of course it generally helps if the heuristics are looking at the first few bytes of the message...
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Insufficient Data for Heuristic Evan Huus (Feb 22)
- Re: Insufficient Data for Heuristic Guy Harris (Feb 22)
- Re: Insufficient Data for Heuristic Evan Huus (Feb 22)
- Re: Insufficient Data for Heuristic Jeff Morriss (Feb 24)
- Re: Insufficient Data for Heuristic Guy Harris (Feb 22)