Wireshark-bugs: [Wireshark-bugs] [Bug 2111] Packet incorrectly detected as SMPP
Date: Sun, 30 Dec 2007 13:42:07 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2111


sake@xxxxxxxxxx changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX




------- Comment #4 from sake@xxxxxxxxxx  2007-12-30 13:42 GMT -------
What Stephen meant was to attach a capture file in binary format (ie not text
output). However, I have taken a look at the SMMP dissector. Since the captured
packet are from unknown ports, no port-based dissector is claiming it. Then
heuristic dissectors can have a shot a them. If one such dissector recognizes
it, it will start to dissect it. The test is done only on part of the packet,
trusting it to be legitimate if that part matches.

Unfortunately you have zeroed out the tcp-payload which gets checked by the
SMMP dissector. But I'm 99,9% sure that the first 16 bytes of your payload were
matching a valid SMMP header. After that, the SMMP dissector could not dissect
it properly and reported it as malformed.

The easy workaround is to disable the SMMP protocol dissector in the
preferences when that happens.

A solution is not easy, since there are always false positives possible with
heuristic dissectors, although the chance that it happens should be very small.
Looking at the code that tests if a packet is SMMP, it is a chance of 1 in
758898819594870793914 that a random pattern is seen as a SMMP packet.

I'm closing this bug as there is a workaround for it and chances for false
positives are very slim.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.