Wireshark-dev: Re: [Wireshark-dev] Adding verification functionality to SIP dissector
From: Erik de Jong <erikdejong@xxxxxxxxx>
Date: Thu, 23 Feb 2017 22:36:17 +0100


On Thu, Feb 23, 2017 at 10:21 PM, Peter Wu <peter@xxxxxxxxxxxxx> wrote:
On Thu, Feb 23, 2017 at 12:49:51PM -0800, Guy Harris wrote:
> On Feb 23, 2017, at 11:56 AM, Erik de Jong <erikdejong@xxxxxxxxx> wrote:
>
> > During my day job I have noticed that sometimes combinations of
> > certain platforms have trouble dealing with SIP digest
> > authorization. Reasons for this range from bugs in the SIP stack to
> > wrong escapes for special characters in configuration files
> > generated for automated set provisioning. I have written a Lua
> > script that will allow me to enter credentials and check if the
> > digest hash in a SIP authorization line is indeed the correct hash
> > for those credentials.  I've written a proof of concept where this
> > functionality is added to the SIP dissector itself and I'm wondering
> > whether this is appropriate to submit for review or that these kind
> > of diagnostics are better left in an external script as it is not
> > really a dissection of the packet.
>
> 1) We already do validation of checksums in dissectors.
>
> 2) Wireshark is a packet *analyzer*, not a packet *dissector*.
>
> So there's no reason *not* to do digest hash checks in Wireshark, and if the dissector is the best place, there's no reason not to do them there.

Validation of the protocol fields (like checksums) can be done without
external input and would be nice. On violation, these could add "expert
info" to the tree.

But for Authorization digests in SIP, this would require external input
(credentials), possibly through a preference (filename or UAT). I think
it is better as separate script (since the input format can be different
depending on the user), but wouldn't object if a patch is proposed.

That's why I was inquiring. Expert info is a really great way to report validation mismatches, but there is external input required - I'd opt for a UAT.
Same principle could be applied for HTTP digests by the way.
 
--
Kind regards,
Peter Wu
https://lekensteyn.nl
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe