Wireshark-bugs: [Wireshark-bugs] [Bug 11417] New: SOCKS decoder giving strange values for seemin
Bug ID |
11417
|
Summary |
SOCKS decoder giving strange values for seemingly normal SOCKS connection, parser bug?
|
Product |
Wireshark
|
Version |
1.12.6
|
Hardware |
x86
|
OS |
Windows 7
|
Status |
UNCONFIRMED
|
Severity |
Major
|
Priority |
Low
|
Component |
Dissection engine (libwireshark)
|
Assignee |
bugzilla-admin@wireshark.org
|
Reporter |
8libra@gmail.com
|
Created attachment 13771 [details]
Example SOCKS connection that seems to trip up the parser
Build Information:
TShark 1.12.6 (v1.12.6-0-gee1fce6 from master-1.12)
Copyright 1998-2015 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.38.0, with WinPcap (4_1_3), with libz 1.2.5, with
SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, without Python, with GnuTLS 3.2.15,
with Gcrypt 1.6.2, without Kerberos, with GeoIP.
Running on 64-bit Windows 7 Service Pack 1, build 7601, without WinPcap.
Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz, with 8035MB of physical
memory.
Built using Microsoft Visual C++ 10.0 build 40219
--
Hello, I'm analyzing a lot of SOCKS 5 proxy traffic, and a significant quanity
is not decoding correctly. The example I'm attaching has no missing packets or
bytes in the bytestream, and has valid/normal values in the SOCKS protocol.
Maybe its TCP options throwing off the parser? I'm stumped.
$ tshark -r socks_example.pcap -d tcp.port==24042
1 0.000000 176.9.19.103 -> 172.31.15.199 TCP 74 41492→24042 [SYN] Seq=0
Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=721658576 TSecr=0 WS=128
2 0.000022 172.31.15.199 -> 176.9.19.103 TCP 74 24042→41492 [SYN, ACK]
Seq=0 Ack=1 Win=26847 Len=0 MSS=8961 SACK_PERM=1 TSval=506027890
TSecr=721658576 WS=128
3 0.096901 176.9.19.103 -> 172.31.15.199 TCP 66 41492→24042 [ACK] Seq=1
Ack=1 Win=29312 Len=0 TSval=721658600 TSecr=506027890
4 0.096951 176.9.19.103 -> 172.31.15.199 Socks 70 Version: 5 Connect to
server request
5 0.096958 172.31.15.199 -> 176.9.19.103 TCP 66 24042→41492 [ACK] Seq=1
Ack=5 Win=26880 Len=0 TSval=506027914 TSecr=721658601
6 0.097055 172.31.15.199 -> 176.9.19.103 Socks 68 Version: 5 Connect to
server response
7 0.193923 176.9.19.103 -> 172.31.15.199 TCP 66 41492→24042 [ACK] Seq=5
Ack=3 Win=29312 Len=0 TSval=721658625 TSecr=506027914
8 0.193932 176.9.19.103 -> 172.31.15.199 Socks 98 Version: 5
9 0.231965 172.31.15.199 -> 176.9.19.103 TCP 66 24042→41492 [ACK] Seq=3
Ack=37 Win=26880 Len=0 TSval=506027948 TSecr=721658625
10 0.304031 172.31.15.199 -> 176.9.19.103 Socks 76 Version: 5 Command
Response - Unknown
11 0.401323 176.9.19.103 -> 172.31.15.199 Socks 405 Version: 5
12 0.401337 172.31.15.199 -> 176.9.19.103 TCP 66 24042→41492 [ACK] Seq=13
Ack=376 Win=28032 Len=0 TSval=506027990 TSecr=721658677
13 0.496611 172.31.15.199 -> 176.9.19.103 Socks 158 Version: 5 Command
Response - Unknown
...
Let's try something different, putting the simple socks.port field (there is
only one connection here, and the port is 443, this value should only be in one
packet):
$ tshark -d tcp.port==24042,socks -r socks_example.pcap -T fields -e
frame.number -e socks.port
1
2
3
4
5
6
7
8
9
10 0
11
12
13 20738
14 16384
15
16
17
18
19
20 20684
...
You are receiving this mail because:
- You are watching all bug changes.