Wireshark-bugs: [Wireshark-bugs] [Bug 4994] New: Wireshark diagnoses "bogus IP address" for outb
Date: Fri, 9 Jul 2010 15:40:40 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4994

           Summary: Wireshark diagnoses "bogus IP address" for outbound
                    TCP with 1500-byte IP datagrams
           Product: Wireshark
           Version: 1.2.9
          Platform: x86
        OS/Version: Windows Vista
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: gary.bjerke@xxxxxxxxxx
             Group: private


Build Information:
Version 1.2.9 (SVN Rev 33171)

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.16.6, (32-bit) with GLib 2.22.4, with WinPcap (version
unknown), with libz 1.2.3, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.0, with Lua 5.1, with GnuTLS 2.8.5, with Gcrypt 1.4.5,
with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jun  8 2010),
with AirPcap.

Running on 32-bit Windows Vista Service Pack 2, build 6002, with WinPcap
version
4.1.1 (packet.dll version 4.1.0.1753), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 30729

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
When running WS 1.2.9 (32-bit) on Vista SP2, capturing TCP traffic with an
XP/SP3 host, I see packets that WS identifies as IP, with a "bogus IP length"
comment in the Info section. I've also reproduced this bug using WS 1.2.6
(64-bit) running on a Windows 7 host. These packets always appear to be
outbound frames longer than 1514 bytes. If you look at a WS trace captured on
the receiving host, you see that the payload is correctly delivered in two IP
datagrams, the first of which is exactly 1500 bytes long (frame capture 1514
bytes).

I've attached the files "bogus_ip_on_vista.pcap" and "no_bogus_ip_on_xp.pcap".
The first file captures traffic on my Vista/SP2 host,and the second captures
the same traffic on the XP/SP3 host. The bogus frames are sent from Vista to
XP.

In the Vista capture, frames 148 and 397 are flagged as bogus IP. Frame 148
corresponds to frames 150 and 151 in the XP capture, and frame 397 corresponds
to frames 452 and 453. Vista frames 148 and 393 in fact have 0 IP datagram
length, as displayed in the WS raw data panel. If you parse out the TCP header
by hand, the sequence numbers are also garbage, but the content starts exactly
where you would expect it to (end of 5-word TCP header). 

You can sanity-check that the TCP payloads sent and received are identical. For
example, for bogus frame 148, the payload length is 0x764 - 0x36 = 0x72e. XP
receives frame 150 with a payload length of 0x5ea - 0x36 = 0x5b4, and frame 151
with a payload length of 0x1b0 - 0x36 = 0x17a. 0x5b4 + 0x17a = 0x72e, the
length from the bogus Vista frame.  

The bogus frame lengths are listed as 1892 and 1900, respectively. It looks
like two Ethernet frames have been merged together in the Vista capture. The
Vista frame lengths are both exactly 54 bytes less than the sum of the
corresponding pair of frame lengths in the XP capture: (1514 + 440) - 1900 =
(1514 + 432) - 1892 = 54.

The problem seems to occur only when an outbound IP datagram contains exactly
1500 bytes.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.