Wireshark-bugs: [Wireshark-bugs] [Bug 8239] Dissector for Microsofts SSTP VPN Protocol
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 21 Jan 2013 18:30:18 +0000

Comment # 18 on bug 8239 from 
(In reply to comment #17)
> "FALSE" and let another dissector have a crack at it.
for that to
> work the dissector would have to see the initial packets of every sstp
> session, because the "SSTP" string only appears once.
to detect a already
> established sstp session we would have to look at more bytes, which could be
> rather inefficient (i'm not exactly familiar with the way wireshark handles
> heuristic dissectors, i assume they are excuted for each packet that doesn
> match anything else?).

i dont think it would even be possible to safely
> distinguish sstp from other protocols. if you look at the packet types
> (http://msdn.microsoft.com/en-us/library/cc247417.aspx) there isn't anything
> unique to the protocol, e.g. looking at the length field and comparing to
> the bytes remaining in tvb isn't possible due to other protocols being
> encapsualted in sstp.

> any suggestions?

What is the definition of a "SSTP session"?  You may be able to use the
"conversation API" mentioned in doc\README.developer, section 2.2.  Perhaps the
logic should be (pseudocode):

if first 4 bytes == "SSTP"
  then create_conversation()
  dissect_sstp()
  return TRUE
else if find_conversation("SSTP")
  dissect_sstp()
  return TRUE
else
  return FALSE

You are receiving this mail because:
  • You are watching all bug changes.