Ask Your Question

heuristic dissector - Malformed packet - Same port different protocol

asked 2020-07-15 15:15:47 +0000

yaroni gravatar image

updated 2020-07-16 08:35:44 +0000

grahamb gravatar image

I have a pcap with 2 packets over udp, with the same port.
I want my heuristic dissector to recognize only the second packet as my protocol.
So i want to have 1 udp packet and second will be my dissector protocol.
My dissector is based on a magic number at specific offset.

The second packet is recognized as my protocol by the heuristic dissector
And the first one is udp, and under the udp layer there is Malformed packet: rtp stats
And in expert information, i get Maflormed packet(Exception occured)

There are a lot of example, each one with different code (according to change in the api i beleive )
I tried with create_dissector_handle and without

void proto_reg_handoff_rtp_stats(void)
    static gboolean initialized = FALSE;
    //static dissector_handle_t rtp_stats_handle;

    if (!initialized) {
        //rtp_stats_handle = create_dissector_handle(dissect_rtp_stats, proto_rtp_stats);
        initialized = TRUE;

        heur_dissector_add("udp", dissect_rtp_heur_stats, "rtp stats on udp(heuristic)","rtp-stats", proto_rtp_stats,HEURISTIC_ENABLE);

And here is the heuristic checker version,

static gboolean
dissect_rtp_heur_stats(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
    uint32_t nMagicNumber = tvb_get_ntohl(tvb, 12);
        col_clear(pinfo->cinfo, COL_INFO);
        return FALSE;
    printf("rtp stats %X",nMagicNumber );   
    return (dissect_rtp_stats(tvb,pinfo, tree,data)!= 0);

I found my problem, it was crashing before the check , because i didn't check packet length

edit retag flag offensive close merge delete


Not sure I get it, the rtp huer dissector claims a packet it shoudn't? You can dissable that particular dissector.

Anders gravatar imageAnders ( 2020-07-15 17:36:09 +0000 )edit

my dissector is rtp_stats, i don';t want to disable it

yaroni gravatar imageyaroni ( 2020-07-16 06:22:39 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-07-15 17:38:32 +0000

Jaap gravatar image

If you get Malformed packet: rtp stats, then your dissector heuristics does allow the packet to be handed off to the dissection function. If that is expected then your dissection function is not correct for that payload. If that is not expected then your heuristic function is not strong enough.

edit flag offensive delete link more


I found my problem, it was crashing before the check , because i didn't check packet length
Thank you for your help

yaroni gravatar imageyaroni ( 2020-07-16 06:22:18 +0000 )edit

The length check before accessing anything is noted in the example heuristic dissector in README.heuristic.

grahamb gravatar imagegrahamb ( 2020-07-16 08:38:04 +0000 )edit

Yes thank you, i found the problem already

yaroni gravatar imageyaroni ( 2020-07-16 09:33:37 +0000 )edit

Yep, I added it as a reference for others who may search for the same issue.

grahamb gravatar imagegrahamb ( 2020-07-16 10:10:20 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-07-15 15:15:47 +0000

Seen: 526 times

Last updated: Jul 16 '20