wireshark-dev October 2010 archive
Main Archive Page > Month Archives  > wireshark-dev archives
wireshark-dev: Re: [Wireshark-dev] TCP data PDU decoding fails d

Re: [Wireshark-dev] TCP data PDU decoding fails depending on TCP options field?

From: Fulko Hew <fulko.hew_at_nospam>
Date: Fri Oct 01 2010 - 18:35:12 GMT
To: Developer support list for Wireshark <wireshark-dev@wireshark.org>

On Fri, Oct 1, 2010 at 2:18 PM, Sake Blok <sake@euronet.nl> wrote:

> On 1 okt 2010, at 19:53, Fulko Hew wrote:
>
> > Imagine my surprise when Wireshark failed to decode the
> > AgentX protocol inside some captured packets. It all
> > depends on where the packets originated from (which OS).
> >
> > Attached are two capture sessions of AgentX traffic.
> >
> > One decodes... Between a Linux box and a Linux box.
> > One doesn't... Between a Windows box and a Linux box.
> >
> > I'm not sure what triggers the failure, but in one case
> > Wireshark successfully decodes the AgentX traffic inside
> > the TCP PDU and in the other case it doesn't. The top
> > protocol window (when it doesn't decode) also tags the
> > packets as '[TCP segment of a reassembled PDU]'
>
> The difference is that in the non-working example, there is a flag that
> indicates that multibyte values are in BigEndian representation and the
> agentX dissector does not seem to honor this. When it then sees "00 00 00
> 20" as length, it does not interpret this as 32 bytes, but as 536870912. So
> then it tries to read that many bytes to reassemble the PDU. Of course it
> fails at that.
>
> Could you please open a bug report at http://bugs.wireshark.org and attach
> the two tracefiles so that we don't lose track of it?
>

Done, bugzilla entry #5269 submitted.

 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5269

___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe