Wireshark-bugs: [Wireshark-bugs] [Bug 4536] New: Expert Info (Note/Sequence): is wrong for MDNS
Date: Thu, 25 Feb 2010 18:20:44 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4536

           Summary: Expert Info (Note/Sequence): is wrong for MDNS packets
           Product: Wireshark
           Version: 1.2.6
          Platform: x86
        OS/Version: Mac OS X 10.6
            Status: NEW
          Severity: Minor
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: geekdude@xxxxxxxxxxx


Created an attachment (id=4334)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4334)
MDNS packet decode from wireshark

Build Information:
Version 1.2.6 (SVN Rev 31702)

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.9, with GLib 2.16.3, with libpcap 1.0.0, with libz
1.2.3, without POSIX capabilities, with libpcre 7.8, with SMI 0.4.8, with
c-ares
1.5.3, with Lua 5.1, with GnuTLS 2.6.2, with Gcrypt 1.4.3, with MIT Kerberos,
without GeoIP, with PortAudio V19-devel (built Nov 14 2008), without AirPcap.

Running on Darwin 10.2.0 (MacOS 10.6.2), with libpcap version 1.0.0, GnuTLS
2.6.2, Gcrypt 1.4.3.

Built using gcc 4.0.1 (Apple Inc. build 5488).

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.

--
Expert Info (Note/Sequence): is wrong for MDNS packets. 
[Expert Info (Note/Sequence): "Time To Live" > 1 for a packet sent to the Local
Network Control Block (see RFC 3171)]

See the following URL:
http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt

4. Source Address Check
   All Multicast DNS responses (including responses sent via unicast) SHOULD be
sent with IP TTL set to 255. This is recommended to provide
backwards-compatibility with older Multicast DNS clients that check the IP TTL
on reception to determine whether the packet originated on the local link.
These older clients discard all packets with TTLs other than 255.

No.     Time        Source                Destination           Protocol Info
      1 0.000000    10.0.1.1              224.0.0.251           MDNS    
Standard query response TXT, cache flush

Frame 1 (235 bytes on wire, 235 bytes captured)
    Arrival Time: Feb 25, 2010 12:01:11.721035000
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 235 bytes
    Capture Length: 235 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:dns]
    [Coloring Rule Name: TTL low or unexpected]
    [Coloring Rule String: ( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5) || (ip.dst
== 224.0.0.0/24 && ip.ttl != 1)]
Ethernet II, Src: AppleCom_e6:b3:0e (00:03:93:e6:b3:0e), Dst:
IPv4mcast_00:00:fb (01:00:5e:00:00:fb)
    Destination: IPv4mcast_00:00:fb (01:00:5e:00:00:fb)
        Address: IPv4mcast_00:00:fb (01:00:5e:00:00:fb)
        .... ...1 .... .... .... .... = IG bit: Group address
(multicast/broadcast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
    Source: AppleCom_e6:b3:0e (00:03:93:e6:b3:0e)
        Address: AppleCom_e6:b3:0e (00:03:93:e6:b3:0e)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 10.0.1.1 (10.0.1.1), Dst: 224.0.0.251 (224.0.0.251)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 221
    Identification: 0x0098 (152)
    Flags: 0x00
        0.. = Reserved bit: Not Set
        .0. = Don't fragment: Not Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 255
        [Expert Info (Note/Sequence): "Time To Live" > 1 for a packet sent to
the Local Network Control Block (see RFC 3171)]
            [Message: "Time To Live" > 1 for a packet sent to the Local Network
Control Block (see RFC 3171)]
            [Severity level: Note]
            [Group: Sequence]
    Protocol: UDP (0x11)
    Header checksum: 0xce7b [correct]
        [Good: True]
        [Bad : False]
    Source: 10.0.1.1 (10.0.1.1)
    Destination: 224.0.0.251 (224.0.0.251)
User Datagram Protocol, Src Port: mdns (5353), Dst Port: mdns (5353)
    Source port: mdns (5353)
    Destination port: mdns (5353)
    Length: 201
    Checksum: 0x6a3f [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Domain Name System (response)
    Transaction ID: 0x0000
    Flags: 0x8400 (Standard query response, No error)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive
queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion
was not authenticated by the server
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 0
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 0
    Answers
        Chuck Hein's AirPort Extreme._airport._tcp.local: type TXT, class IN,
cache flush
            Name: Chuck Hein's AirPort Extreme._airport._tcp.local
            Type: TXT (Text strings)
            .000 0000 0000 0001 = Class: IN (0x0001)
            1... .... .... .... = Cache flush: True
            Time to live: 1 hour, 15 minutes
            Data length: 121
            Text:
waMA=00-03-93-E6-B3-0F,laMA=00-03-93-E6-B3-0E,raMA=00-0A-95-F1-E2-F4,syDs=Apple
Base Station V5.7,syFl=0x00000A00,syAP=3

0000  01 00 5e 00 00 fb 00 03 93 e6 b3 0e 08 00 45 00   ..^...........E.
0010  00 dd 00 98 00 00 ff 11 ce 7b 0a 00 01 01 e0 00   .........{......
0020  00 fb 14 e9 14 e9 00 c9 6a 3f 00 00 84 00 00 00   ........j?......
0030  00 01 00 00 00 00 1c 43 68 75 63 6b 20 48 65 69   .......Chuck Hei
0040  6e 27 73 20 41 69 72 50 6f 72 74 20 45 78 74 72   n's AirPort Extr
0050  65 6d 65 08 5f 61 69 72 70 6f 72 74 04 5f 74 63   eme._airport._tc
0060  70 05 6c 6f 63 61 6c 00 00 10 80 01 00 00 11 94   p.local.........
0070  00 79 78 77 61 4d 41 3d 30 30 2d 30 33 2d 39 33   .yxwaMA=00-03-93
0080  2d 45 36 2d 42 33 2d 30 46 2c 6c 61 4d 41 3d 30   -E6-B3-0F,laMA=0
0090  30 2d 30 33 2d 39 33 2d 45 36 2d 42 33 2d 30 45   0-03-93-E6-B3-0E
00a0  2c 72 61 4d 41 3d 30 30 2d 30 41 2d 39 35 2d 46   ,raMA=00-0A-95-F
00b0  31 2d 45 32 2d 46 34 2c 73 79 44 73 3d 41 70 70   1-E2-F4,syDs=App
00c0  6c 65 20 42 61 73 65 20 53 74 61 74 69 6f 6e 20   le Base Station 
00d0  56 35 2e 37 2c 73 79 46 6c 3d 30 78 30 30 30 30   V5.7,syFl=0x0000
00e0  30 41 30 30 2c 73 79 41 50 3d 33                  0A00,syAP=3

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.