Wireshark-bugs: [Wireshark-bugs] [Bug 3256] New dissector: gadu-gadu protocol
Date: Sun, 1 Mar 2009 17:00:24 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3256





--- Comment #7 from Jakub Zawadzki <darkjames@xxxxxxxxxxxxxxxx>  2009-03-01 17:00:23 PDT ---
Thanks for comments, well printf() was just for debug purpose - sure I'll
remove it :)

About gadu-gadu traffic on port 443, it's not gg-over-ssl, it's still
unencrypted. It's just hack to make Gadu-Gadu connection more firewall-friendly
(some admins block connection on high-ports, 443 is low, and used by https, so
they won't close it)

Anyway it's hard to determinate if it's gadu-gadu port or not.

I could write some code to register connection (we always receive from server
GG_WELCOME packet) but it won't work if smb start sniffing after authorization.

Some other possibilities is to check if first 4 bytes (type of packet) is
inside some range (currently in use are packets type: 0x01 till 0x38) and if
len of packet (next 4 bytes) is below 5000.

By the way about len of packet and fragmentation (get_gg_pdu_len())
Known clients ignores packet with len (in header) above 65KB, (orginal
Gadu-Gadu client AFAIK ignores packet with len above ~3KB)

What should we do with such packet in wireshark? I'd like to ignore it like
normals client do. Any ideas how?

And second question (if I leave code as it is) if some evil person send packet
with some weird len (like 0xffffff) it's safe for wireshark?


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.