Wireshark mailing list archives
Re: False positive from the new "Look for incomplete dissectors" function.
From: Anders Broman <a.broman58 () gmail com>
Date: Thu, 12 Feb 2015 18:18:54 +0100
Den 12 feb 2015 16:46 skrev "Dario Lombardo" <dario.lombardo.ml () gmail com>:
Hi Anders If you carefully have a look at the bytes, you can notice that the 2
bytes reported by the logs are claimed by the SIP dissector, but they're not decoded.
Until SIP/2.0, bytes are decoded (address up to 0x0040+12). From "Max-Forward" and beyond (address 0x0040+15) they are decoded. Addresses 0x0040 +13 and +14 are not decoded. That's exactly what I would
have expected. If you click on them, the entire "SIP - REGISTER" is highlighted.
It is related to the textual nature of sip... the 2 undecoded bytes are
0x0d0a (CR+NL). A char sequence that not only is allowed in sip, but AFAIK, can also be repeated multiple times.
As told the algorithm is not perfect and I will have to take care of
special cases like that. I will have a look at the sip dissector to understand how to threat those text protocols (maybe many others are around... like HTTP :)).
Thanks for having pointed it out.
I suspected as much, but I think all the sip lines skip the CRLF...
On Thu, Feb 12, 2015 at 4:32 PM, Anders Broman <anders.broman () ericsson com>
wrote:
Hi, The enclosed frame shows what I think is a false positive. Regards Anders
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- False positive from the new "Look for incomplete dissectors" function. Anders Broman (Feb 12)
- Re: False positive from the new "Look for incomplete dissectors" function. Dario Lombardo (Feb 12)
- Re: False positive from the new "Look for incomplete dissectors" function. Anders Broman (Feb 12)
- Re: False positive from the new "Look for incomplete dissectors" function. Dario Lombardo (Feb 13)
- Re: False positive from the new "Look for incomplete dissectors" function. Anders Broman (Feb 13)
- Re: False positive from the new "Look for incomplete dissectors" function. Dario Lombardo (Feb 13)
- Re: False positive from the new "Look for incomplete dissectors" function. Anders Broman (Feb 13)
- Re: False positive from the new "Look for incomplete dissectors" function. Dario Lombardo (Feb 13)
- Re: False positive from the new "Look for incomplete dissectors" function. Anders Broman (Feb 12)
- Re: False positive from the new "Look for incomplete dissectors" function. Jeff Morriss (Feb 13)
- Re: False positive from the new "Look for incomplete dissectors" function. Dario Lombardo (Feb 17)
- Re: False positive from the new "Look for incomplete dissectors" function. Dario Lombardo (Feb 12)