What should be done when detecting faulty frames?

asked 2019-01-24 11:01:03 +0000

5 ●2 ●3

Hey Guys, Should I issue a message and if so, how? The current solution used is:

return 0;

But the frame falsely looks good.

Thanks a lot!

answered 2019-01-24 19:54:36 +0000

JeffMorriss

6396 ●30 ●78

I assume you mean that you've decided that the frame in question isn't really your protocol?

In that case, yes, you should return 0. An example from README.dissector:

static int
dissect_dnp3_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
    if (!check_dnp3_header(tvb, FALSE)) {
        return 0;

Note that you should return 0 before adding anything to the protocol tree or modifying any columns.

If, on the other hand, you're in the middle of dissecting a frame when you realize something's wrong then generally you'd want to add an expert info indicating that/why you're giving up dissection.

edit flag offensive delete link

Comments

Thank you so much, I didn't know the difference until now.

MaxiKoh95 ( 2019-01-25 06:56:46 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

What should be done when detecting faulty frames?

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

What should be done when detecting faulty frames? edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

What should be done when detecting faulty frames?