Ethereal-dev: Re: [ethereal-dev] ONC RPC is simply an heuristic dissector

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Sun, 16 Jul 2000 20:44:42 -0700
On Fri, Jul 14, 2000 at 03:04:32PM +0200, Uwe Girlich wrote:
> To clean-up the code a bit, I removed the direct calls to dissect_rpc() in
> TCP and UDP. dissect_rpc() is now registered as an heuristic dissector in 
> both cases.

Hmm.

A problem for which there is, I think, no perfect fix is that a protocol
that doesn't have a fixed port number (e.g., most ONC RPC services)
could end up using a well-known port.

If specific port numbers are checked before heuristic dissectors are
called - as is the case with our TCP and UDP dissectors - a packet for
one of those "no fixed port number" protocols could end up being treated
as a bad packet for some other protocol if it happens to use that
protocol's port number.

If, however, we allow dissectors for fixed port number protocols to
"reject" packets - i.e., to say "this isn't a packet for this protocol",
and have those packets be handed to other dissectors - it could cause
packets that really *are* malformed packets for that protocol not to be
recognized as such, and to be treated as some other protocol (and
probably shown as bad packets for *that* protocol, or treated as
uninterpreted data).  This might make it harder to figure out what's
wrong with the packet - and the reason one's running Ethereal could be
to debug a problem in one's implementation of the protocol in question.

I suppose one (imperfect) fix would be a way for the user to force a
given port number, or a given conversation, to be dissected as if it
were a particular protocol.