Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 10287] New: DNP3 Dissector segments reassembly

Wireshark-bugs: [Wireshark-bugs] [Bug 10287] New: DNP3 Dissector segments reassembly

Date: Thu, 17 Jul 2014 14:56:34 +0000

Bug ID	10287
Summary	DNP3 Dissector segments reassembly
Classification	Unclassified
Product	Wireshark
Version	Git
Hardware	x86-64
OS	Ubuntu
Status	UNCONFIRMED
Severity	Normal
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	bugzilla-admin@wireshark.org
Reporter	luc@comtois.me

Created attachment 12904 [details]
fragmented DNP3 on TCP 10001

Build Information:
Wireshark 1.99.0 (v1.99.0-rc1-919-gac0fc19 from master)

Copyright 1998-2014 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 3.10.8, with Cairo 1.13.1, with Pango 1.36.3, with
libpcap, without POSIX capabilities, without libnl, with libz 1.2.8, with GLib
2.40.0, with SMI 0.4.8, with c-ares 1.10.0, without Lua, with GnuTLS 2.12.23,
with Gcrypt 1.5.3, with MIT Kerberos, with GeoIP, with PortAudio <= V18, with
AirPcap.

Running on Linux 3.13.0-30-generic, with locale en_US.UTF-8, with libpcap
version 1.5.3, with libz 1.2.8, with GnuTLS 2.12.23, with Gcrypt 1.5.3, without
AirPcap.
Intel(R) Xeon(R) CPU           E5430  @ 2.66GHz

Built using gcc 4.8.2.

--
I am trying to decode DNP3 on TCP 10001 

The dissector is only able to decode 3 message out of 86 in the file.

Because dissect_dnp3_tcp is looking for the dnp3 header in each segments the
segments never get reassembled.
I was able to "fix" this problem by moving the header verification in
get_dnp3_message_len that get called after reassembly.
See Abandoned Change-Id:Ie7c0a861b980b32ae931819a78582722e82a3bfa

Moving the header verification created a problem with partial segments like in
this capture.
If I understand correctly, tcp_dissect_pdus is reassembling until it get a
segment of lenght 10(DNP_HDR_LEN) then get_dnp3_message_len() is called.
The segment (ee ee 51 b5 05 64 0c c4 0c 00) would be rejected even if it
contain a valid header and tcp_dissect_pdus would continue reassembling and
rejecting DNP3 messages.
This is why I added code to check if the header is present at other positions.

I am certain this is not the proper way to do this but it is working for me.

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 10287] DNP3 Dissector segments reassembly
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10287] DNP3 Dissector segments reassembly
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10287] DNP3 Dissector segments reassembly
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10287] DNP3 Dissector segments reassembly
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10287] DNP3 Dissector segments reassembly
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10287] DNP3 Dissector segments reassembly
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10287] DNP3 Dissector segments reassembly
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 10283] Decoding websocket protocol client side very large message flags an error when there is none
Next by Date: [Wireshark-bugs] [Bug 10287] DNP3 Dissector segments reassembly
Previous by thread: [Wireshark-bugs] [Bug 10286] Buildbot crash output: fuzz-2014-07-15-23779.pcap
Next by thread: [Wireshark-bugs] [Bug 10287] DNP3 Dissector segments reassembly
Index(es):
- Date
- Thread