Wireshark-bugs: [Wireshark-bugs] [Bug 3789] New: Nested proto tag within field tag for Expert In
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3789
Summary: Nested proto tag within field tag for Expert Info fields
in exported PDML
Product: Wireshark
Version: unspecified
Platform: x86
OS/Version: Windows XP
Status: NEW
Severity: Major
Priority: Medium
Component: TShark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: tonedef@xxxxxxxxxxx
Created an attachment (id=3432)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3432)
Sample pcap file with expert info
Build Information:
Version 1.2.1 (SVN Rev 29141)
Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.16.2, with GLib 2.20.3, with WinPcap (version unknown),
with libz 1.2.3, without POSIX capabilities, with libpcre 7.0, with SMI 0.4.8,
with c-ares 1.6.0, with Lua 5.1, with GnuTLS 2.8.1, with Gcrypt 1.4.4, with MIT
Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 19 2009), with
AirPcap.
Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.0.2
(packet.dll version 4.0.0.1040), based on libpcap version 0.9.5, GnuTLS 2.8.1,
Gcrypt 1.4.4, without AirPcap, from the PortableApps U3 device in drive C:.
Built using Microsoft Visual C++ 9.0 build 30729
--
I looked at the PDML specification
<http://gd.tuwien.ac.at/.vhost/analyzer.polito.it/30alpha/docs/dissectors/PDMLSpec.htm>
and could not find any documentation to support the validity of a proto tag
nested within a field tag.
When I export a PCAP file to PDML using either Wireshark or TShark, the
generated PDML often has fields which contain a nested proto tag for Expert
Info (see examples below).
<field name="tcp.flags.syn" showname=".... ..1. = Syn: Set" size="1"
pos="47" show="1" value="1" unmaskedvalue="02">
<proto name="expert" showname="Expert Info (Chat/Sequence): Connection
establish request (SYN): server port http" size="0" pos="0">
<field name="expert.message" showname="Message: Connection establish
request (SYN): server port http" size="0" pos="0" show="Connection establish
request (SYN): server port http"/>
<field name="expert.severity" showname="Severity level: Chat"
size="0" pos="0" show="Chat"/>
<field name="expert.group" showname="Group: Sequence" size="0"
pos="0" show="Sequence"/>
</proto>
</field>
and
<field name="" show="M-SEARCH * HTTP/1.1\r\n" size="21" pos="82"
value="4d2d534541524348202a20485454502f312e310d0a">
<proto name="expert" showname="Expert Info (Chat/Sequence): M-SEARCH *
HTTP/1.1\r\n" size="0" pos="0">
<field name="expert.message" showname="Message: M-SEARCH *
HTTP/1.1\r\n" size="0" pos="0" show="M-SEARCH * HTTP/1.1\\r\\n"/>
<field name="expert.severity" showname="Severity level: Chat" size="0"
pos="0" show="Chat"/>
<field name="expert.group" showname="Group: Sequence" size="0" pos="0"
show="Sequence"/>
</proto>
<field name="http.request.method" showname="Request Method: M-SEARCH"
size="8" pos="82" show="M-SEARCH" value="4d2d534541524348"/>
<field name="http.request.uri" showname="Request URI: *" size="1"
pos="91" show="*" value="2a"/>
<field name="http.request.version" showname="Request Version: HTTP/1.1"
size="8" pos="93" show="HTTP/1.1" value="485454502f312e31"/>
</field>
Shouldn't the Expert Info be exported as a field tag instead of as a proto tag?
While the PDML specification does allow for field tags to be nested within
other field tags, it does not seem to allow for proto tags nested beneath field
tags.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.