On Mon, Feb 23, 2015 at 10:49:55PM +0100, Peter Wu wrote: > On Mon, Feb 23, 2015 at 03:32:48PM +0100, Gianrico wrote: > > I propose to make one or more of these changes: > > - Call the heuristics dissector only for the first data frame.
I forgot to mention the 1/n-1 splitting which is nowadays commonly done for SSL dissectors to mitigate BEAST. New-style dissectors could return "-1" ("I want more data") if they need more than the first byte. > - Decouple the list of valid protocols from > transport_proto/addr/server_port->appdata_proto/keyfile > associations. This allows for multiple valid protocols while linking > one unique key per transport_proto/address/server_port tuple. > (Jeff, comments?) > - Allow a wildcard protocol name in the UAT dialog just to set the key, > not the protocol ("any", "*" or the empty string?). > - Select an appdata protocol in this order: STARTTLS hint, heuristics, > associations, (first available) dissector hint. > > Why the suggested protocol selection order? > > - STARTTLS hint is quite strong. > - Good heuristics can do "the right thing" automatically. > - Associations are entered by the user. > - For protocols such as SMTP, there is one clear choice which is great. > For port 443, the best guess is HTTP (which should have been caught > by the heuristics dissector) but others are possible. -- Kind regards, Peter Wu https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe