Wireshark-bugs: [Wireshark-bugs] [Bug 8816] The wireshark displays "Packet size limited during c
Date: Wed, 19 Jun 2013 01:28:05 +0000

Comment # 6 on bug 8816 from
Hi, Jeff (In reply to comment #3)
> There are several issues going on here.
> 
> 1) The first SCTP chunk in frame 26 is a retransmission of that in frame 24.
> 
> 2) You don't have SCTP's TSN Analysis feature enabled (it's off by default)
> so SCTP doesn't realize this.  Because SCTP does not realize this it
> dissects the payload of the retransmitted message.
> 
> 3) SCCP (the protocol) expects fragments to be delivered in order and
> without duplication.  SCCP (the dissector) more or less assumes this too
> because we haven't tried to hack up the reassembly code to work with SCCP's
> style of reassembly.
> 
> The result of all of that is that the reassembly that happens in frame 26
> creates a bogus message: it has the first 230 octets of the MSU twice (and
> no octets from the 2nd fragment).
> 
> 4) Then as TCAP dissects this bogus message it gets into the BER dissector
> which sometimes sets the actual and reported TVB lengths separately (I'm not
> sure why).  In this case the reported length is greater than the actual
> length so when the dissection fails (because the reassembly is hosed) you
> get a misleading error message.
> 
> So: if you want the dissection to work, enable SCTP's TSN Analysis feature.
> 
> #3 is arguably a bug in Wireshark's reassembly stuff (SCCP stacks can detect
> duplication like this so Wireshark should be able to too).
> 
> I would suspect #4 is also a bug but I don't know the BER's intentions
> here...
> 
> Finally:
> 
> 5) The SCTP dissector is trying to catch "nonfatal" exceptions so it can
> process subsequent chunks, even if an earlier chunk threw an exception.  But
> the exception thrown in this case (BoundsError) is not in the list so SCTP
> does not attempt to process the next chunk.  The question here is: should
> BoundsError be in the "nonfatal" exception list or should the BER dissector
> not be (ab?)using the reported length the way it is?

Hi, Jeff:

    Thanks very much for your detailed explanations.
    After "enable SCTP's TSN Analysis feature", it displayed the right message
content.

Best Regards
Nan Xiao


You are receiving this mail because:
  • You are watching all bug changes.