Wireshark-bugs: [Wireshark-bugs] [Bug 4097] Kerberos dissected as STUN2
Date: Tue, 6 Oct 2009 04:54:00 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4097





--- Comment #3 from Jaap Keuter <jaap.keuter@xxxxxxxxx>  2009-10-06 04:53:59 PDT ---
The heuristics for STUN2/UDP are rather weak. They match any UDP payload
starting with:

     3                   2                   1               
   1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 1 0
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+----
  |t t|         don't care        |     remaining length        |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+----
  tt > 0

That includes many BER encoded messages (!universal class, long definite form
with 2 octets) (incl Kerberos), and probably many other protocols as well. 

For one I don't understand why in the heuristics the exception for the UDP
protocol is made. That is what severely weakens the heuristic test.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.