/* oh what a crap protocol. there is nothing in the protocol that makes it easy to identify and then worse is that by default it is using port 10000 which ndmp has been using for ages. assume it is tcpencap if it does not look like ndmp */ static int packet_is_tcpencap(tvbuff_t *tvb, packet_info *pinfo) { if(check_if_ndmp(tvb, pinfo)){ return FALSE; } return TRUE; }
static int packet_is_tcpencap(tvbuff_t *tvb, packet_info *pinfo, guint32 offset) { if ( /* Must be zero */ tvb_get_ntohl(tvb, offset + 0) != 0 || /* Lower 12 bits must be zero */ (tvb_get_ntohs(tvb, offset + 6) & 0xfff) != 0 || /* Protocol must be UDP or ESP */ (tvb_get_guint8(tvb, offset + 13) != 17 && tvb_get_guint8(tvb, offset + 13) != 50) ) { return FALSE; } if(check_if_ndmp(tvb, pinfo)){ return FALSE; } return TRUE; }