Re: [Ethereal-dev] Re: Patch: dissectors for the rsplib test programs

[Thomas Dreibholz <dreibh@xxxxxxxxxxxxxx>]

On Thursday 01 June 2006 12:23, ronnie sahlberg wrote:
> since it is a very rarely used protocol
> the worry would be for false positives.
> if the dissector mistakes common protocols for this one instead.
> I would be ok with its inclusion if its heuristics can be made very
> very strong so the chance of a false positive is very low.

Only the CSP protocol is critical, since the other protocols use a fixed, 
32-bit SCTP payload protocol identifier. That is, the probability of a 
misidentification is extremely low (1 to 2^32).

CSP uses an UDP port, but the header conatins a type field (1 byte) and a 
version number (4 bytes). The dissector checks for a valid version number 
(currently, only 0x00000200 is valid) and a valid type (currently, only 0x01 
is defined). In combination with the UDP port number, there is an extremely 
low probability for a misidentification (40 header bits + 16 bit UDP port 
number must match).


> a wiki page   and  example traces would be looked at positively.

A pcap example trace of the protocols is attached to this mail.


Best regards
-- 
=======================================================================
 Dipl.-Inform. Thomas Dreibholz

 University of Essen,                            Room ES210
 Inst. for Experimental Mathematics              Ellernstraße 29
 Computer Networking Technology Group            D-45326 Essen/Germany
-----------------------------------------------------------------------
 E-Mail:     dreibh@xxxxxxxxxxxxxxxxxxxxx
 Homepage:   http://www.exp-math.uni-essen.de/~dreibh
=======================================================================

Attachment: pgpC5YrI6Elfv.pgp
Description: PGP signature

Attachment: rsplib-protocols.pcap.gz
Description: GZip compressed PCAP traces