/* oh what a crap protocol.
there is nothing in the protocol that makes it easy to identify and then
worse is that by default it is using port 10000 which ndmp has been
using for ages.
assume it is tcpencap if it does not look like ndmp
*/
static int
packet_is_tcpencap(tvbuff_t *tvb, packet_info *pinfo)
{
if(check_if_ndmp(tvb, pinfo)){
return FALSE;
}
return TRUE;
}
static int
packet_is_tcpencap(tvbuff_t *tvb, packet_info *pinfo, guint32 offset)
{
if ( /* Must be zero */
tvb_get_ntohl(tvb, offset + 0) != 0 ||
/* Lower 12 bits must be zero */
(tvb_get_ntohs(tvb, offset + 6) & 0xfff) != 0 ||
/* Protocol must be UDP or ESP */
(tvb_get_guint8(tvb, offset + 13) != 17 &&
tvb_get_guint8(tvb, offset + 13) != 50)
) {
return FALSE;
}
if(check_if_ndmp(tvb, pinfo)){
return FALSE;
}
return TRUE;
}
