Wireshark-dev: Re: [Wireshark-dev] SIP heuristics
From: Lars Roland <lars.roland@xxxxxxx>
Date: Fri, 09 Jun 2006 01:53:46 +0200
Jaap Keuter schrieb:
Yes, but the definition of "valid chars" makes it difficult. (complicated charset, not easy to check, but heuristics must work fast) However chars >= 0x80 or < 0x20 are not allowed in methods anyway.Hi Lars, Thanks for picking this up. What we could do (would help in my situation) is to check if the method does contain only valid ASCII characters. If not fail as SIP. Possible?
Thus we could add a check to the heuristics, which rejects packets, if it finds octets < 0x20 or >= 0x80 before the first space character (0x20). In theory we can still get false positives with this additional check, but at least it makes the heuristics stronger.
I don't have time to work on it on this weekend. Feel free to implement a solution this or any other way. :)
Best regards, Lars
On Thu, 8 Jun 2006, Lars Roland wrote://Hello Jaap, I just subscribed to this list and discoverd your mail in the archive. The request line starts with the Method. Anything before is not SIP and shouldn't be marked as such. Q: Should the heuristics try to discover SIP Packets encapsulated within unknown data? IMO it should only discover SIP Packets, when the tvbuff in question directly starts with a SIP header and contains no unknown leading bytes. The problem here is, that the Request Line starts with the Method, which can contain a lot of different ASCII characters. A heuristic, which detects a SIP Request Line 100% correctly can be very time consuming, because of the complex charset As you noticed the SIP heuristics are too weak at the moment. IMO we should have strong heuristics, which may not detect all syntactically valid SIP packets, but will never detect false positives. Perhaps we should limit the heuristic detection to known SIP methods. Best regards, Lars From// Jaap Keuter <jaap.keuter@xxxxxxxxx <mailto:jaap.keuter@DOMAIN.HIDDEN>> //Date// Wed, 7 Jun 2006 15:32:25 +0200 (CEST) ------------------------------------------------------------------------ Hi, Now that the dust is settling (until the user community comes barging in ;) let us slowly get back to the real stuff. I've got trouble with SIP heuristics. Currently it tries to see if the packet contains what looks like a few tokens, which are checked to certain criteria. The trouble is that I've got SIP lines packed up in other (binary coded) protocols, which do contain NULL characters. Still the SIP heuristics take that as being part of the request line...... That can't be right, can it? Shouldn't the heuristics take the UDP/TCP payload and take the _zero terminated_ string in there to determine if it is a SIP packet after all? Your thoughts please, Jaap _______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-dev_______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-dev
- References:
- Re: [Wireshark-dev] SIP heuristics
- From: Jaap Keuter
- Re: [Wireshark-dev] SIP heuristics
- Prev by Date: Re: [Wireshark-dev] [Ethereal-dev] Major announcement
- Next by Date: [Wireshark-dev] ManageSoft LDSS plugin submission
- Previous by thread: Re: [Wireshark-dev] SIP heuristics
- Next by thread: [Wireshark-dev] Major announcement
- Index(es):