On Sun, Nov 12, 2000 at 11:21:34AM +0900, itojun@xxxxxxxxxx wrote:
> what identifies GIOP stream?
In the current version in CVS, a packet is considered a GIOP packet if:
the packet is a TCP packet;
it hasn't been picked up by any dissector before the code tries
the GIOP heuristic dissector (it checks for dissectors
registered with specific ports before trying the heuristic
dissectors);
the packet has at least 12 bytes of TCP payload;
the first four bytes of the packet are "G", "I", "O", and "P",
in that order.
Some earlier versions in CVS (1.19, 1.20) didn't check that the packet
had at least 12 bytes of TCP payload, and, for packets with fewer than
four bytes of payload, just charged ahead and tried to compare with
"GIOP", causing an exception, so the packet showed up as a malformed
GIOP packet.
> most of the time my IPv6 SSH stream is
> mistakenly identified as GIOP recently,
SSH packets are TCP packets, and we don't, as far as I know, register a
dissector for the SSH port, so the heuristic dissectors will be called.
If it's identifying any frames that don't have "GIOP" as the first four
bytes as GIOP packets - *in the sense that it actually dissects them as
GIOP, not just that it puts "GIOP" in the protocol column* - there is,
indeed, a bug somewhere in the GIOP dissector's heuristics. You'll have
to step through them, or send us a capture.
*However*, by "identified as GIOP", do you mean they're dissected as GIOP,
or just that they have "GIOP" in the protocol column? If the latter,
that's another bug, which I just noticed when looking at the code - it
sets the protocol column *before* doing all the heuristic checks.
I'll move that after the heuristic checks, so it sets the column to
"GIOP" only if it actually accepts the packet as a GIOP packet.
