Wireshark-bugs: [Wireshark-bugs] [Bug 8239] Dissector for Microsofts SSTP VPN Protocol
Comment # 17
on bug 8239
from Manuel Hofer
(In reply to comment #16)
> Two comments:
>
> 1. I think bug 4997 should be "deprecated" more than "duplicated" (not sure
> how to mark it as such). This dissector implements a much newer version of
> the protocol and I don't see us going back to the version implemented in bug
> 4997.
>
> 2. Should this dissector really register for TCP port 443 (same question
> posed in bug 4997)?
> a) http_dissector_add takes care of the TCP port registration
> (dissector_add_uint("tcp.port"...), so it's really not necessary to have in
> the SSTP dissector itself.
true, i will remove the port registration.
> b) Rather than map to a specific port (that isn't IANA registered), I think
> this dissector should be completely heuristic (registered only through
> heur_dissector_add). If the first 4 bytes aren't "SSTP", just return
> "FALSE" and let another dissector have a crack at it.
for that to work the dissector would have to see the initial packets of every
sstp session, because the "SSTP" string only appears once.
to detect a already established sstp session we would have to look at more
bytes, which could be rather inefficient (i'm not exactly familiar with the way
wireshark handles heuristic dissectors, i assume they are excuted for each
packet that doesn match anything else?).
i dont think it would even be possible to safely distinguish sstp from other
protocols. if you look at the packet types
(http://msdn.microsoft.com/en-us/library/cc247417.aspx) there isn't anything
unique to the protocol, e.g. looking at the length field and comparing to the
bytes remaining in tvb isn't possible due to other protocols being encapsualted
in sstp.
any suggestions?
You are receiving this mail because:
- You are watching all bug changes.