Wireshark-bugs: [Wireshark-bugs] [Bug 4714] New: dns dissector on UDP packets influences tcp.str
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4714
Summary: dns dissector on UDP packets influences tcp.stream
Product: Wireshark
Version: 1.2.6
Platform: x86
OS/Version: Windows XP
Status: NEW
Severity: Normal
Priority: Low
Component: TShark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: alantu@xxxxxxxx
Created an attachment (id=4575)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4575)
m.pcap contains the pcap to demonstrate this bug
Build Information:
TShark 1.2.6 (SVN Rev 31702)
Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.22.3, with WinPcap (version unknown), with libz 1.2.3,
without POSIX capabilities, without libpcre, with SMI 0.4.8, with c-ares 1.7.0,
with Lua 5.1, with GnuTLS 2.8.5, with Gcrypt 1.4.5, with MIT Kerberos, with
GeoIP.
Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.1.1
(packet.dll version 4.1.0.1753), based on libpcap version 1.0 branch 1_0_rel0b
(20091008), GnuTLS 2.8.5, Gcrypt 1.4.5.
Built using Microsoft Visual C++ 9.0 build 30729
--
1. Run
tshark -r m.pcap -w http.pcap -R "tcp"
http.pcap contains one TCP stream with a HTTP transaction.
2. Run
tshark -r http.pcap -T fields -e tcp.stream
Result: tcp.stream is numbered 0.
3. Run
tshark -r m.pcap -T fields -e tcp.stream -R "tcp"
Result: tcp.stream is numbered 1.
4. Disable the dns dissector.
5. Run
tshark -r m.pcap -T fields -e tcp.stream -R "tcp"
Result: tcp.stream is numbered 0.
The difference between m.pcap and http.pcap is that m.pcap contains two UDP DNS
packets, a query and response.
Bug or feature?
TCP streams should be numbered consistently, irrespective of the presence of
UDP DNS packets. It seems the dns dissector is causing the tcp.stream index to
be incremented.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.