Wireshark · Ethereal-dev: Re: [Ethereal-dev] Error building 0.10.12 on HP-UX 10.20

Ethereal-dev: Re: [Ethereal-dev] Error building 0.10.12 on HP-UX 10.20

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Thu, 11 Aug 2005 20:27:14 +0200

That's due to a "strange" interpretation of what a 32 bit unsigned
integer is in BER and some consecuences of it.

While decoding some traces I noticed that:
 -  when a transactionId was larger than 0xf0000000 it was encoded
with a prepended 0 and became a  5 byte integer that
dissect_ber_integer() would not add as a "filterable" field.

Being these two specific fileds (ctx id and trx id) very essential to
h248 when they are 5 byte encoded (ctxId == 0xfffffffe is the
wildcard!) I thought in making sure they would be filterable even if
the number was encoded in > 4 bytes.

As for the proposed patch, it would break things if the value is
encoded > 4 bytes of real data (it shouldn't but who knows). But I
changed the switch into an "if else if else if else" that fixes the
"too large for switch" issue without impact.

BTW:
The underlying reason for which I added this code
(dissect_ber_integer() would not add as a "filterable" field if it is
larger than 4 bytes, should be handled in dissect_ber_integer() )
remains there.

Should we change dissect_ber_integer() itself to make sure that a 5
byte unsigned integer which fits in 4 bytes gets added to the tree as
"filterable"?

Luis.

On 8/9/05, Albert Chin <ethereal-dev@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> On Fri, Aug 05, 2005 at 12:09:48AM +0200, Joerg Mayer wrote:
> > On Thu, Aug 04, 2005 at 04:23:17PM -0500, Albert Chin wrote:
> > > > Is the expression in a switch statement suppose to be an int or
> > > > unsigned int? In this case, context_id is guint64.
> > >
> > > How about the attached patch?
> >
> > > -   guint64 context_id = 0;
> > > +   guint32 context_id = 0;
> >
> > The code handles this variable explicitely as 64 bit value. Maybe someone
> > who knows the code can comment on this. I at least am not going to apply
> > this patch, someone with better understading of the code should do that.
> 
> Anyone?
> 
> --
> albert chin (china@xxxxxxxxxxxxxxxxxx)
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
> 

-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan

References:
- [Ethereal-dev] Error building 0.10.12 on HP-UX 10.20
  - From: Albert Chin
- Re: [Ethereal-dev] Error building 0.10.12 on HP-UX 10.20
  - From: Albert Chin
- Re: [Ethereal-dev] Error building 0.10.12 on HP-UX 10.20
  - From: Joerg Mayer
- Re: [Ethereal-dev] Error building 0.10.12 on HP-UX 10.20
  - From: Albert Chin

Prev by Date: Re: [Ethereal-dev] MMS and ASF parsers
Next by Date: Re: [Ethereal-dev] MMS and ASF parsers
Previous by thread: Re: [Ethereal-dev] Error building 0.10.12 on HP-UX 10.20
Next by thread: [Ethereal-dev] 0.10.12 patch to lemon
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$