Wireshark-bugs: [Wireshark-bugs] [Bug 12882] TCP packets sometimes are incorrectly parsed as TDS
Date: Wed, 07 Dec 2016 04:25:11 +0000

Comment # 10 on bug 12882 from
(In reply to Guy Harris from comment #9)
> If there are TCP dissectors that do reassembly, use a heuristic, and don't
> use conversation_set_dissector(), there can be cases where the reassembly
> will fail, so those dissectors are buggy.

Are you talking TCP reassembly or reassembly of layer above the protocol
running over TCP? (TDS certainly qualifies trying to reassemble NETLIB)

I think I've been lulled into believing that heuristics are used for the start
of a packet and most TCP dissectors use them just because they don't have the
"determinism" of a reserved IANA port.  How often are you really presented with
the start of a TCP PDU in the middle of a TCP packet?  Maybe the first PDU at
the start of a capture, and I guess I can usually live with that (not being
dissected), because it would end up being way too expensive (performance) to
ensure Wireshark "guessed right".  I also sometimes have a hard time
distinguishing "need" (for heuristics) from overzealous developer trying to put
as many entrances to his protocol as possible (especially with older
dissectors).

I still think switching to TDS to use tcp_dissect_pdus is worthwhile, but
without removing conversation_set_dissector(), this capture is still stuck
thinking it's TDS.  I can see the merits of keeping the
conversation_set_dissector, I'm just not sure how practical it is and I would
be okay removing the heuristic dissector altogether (in favor of using
preferences/Decode As) rather than disabling the heuristic for being too weak.


You are receiving this mail because:
  • You are watching all bug changes.