Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 11484] New: pcapng: NRB IPv4 address is endian swapped but shouldn't be

Wireshark-bugs: [Wireshark-bugs] [Bug 11484] New: pcapng: NRB IPv4 address is endian swapped but

Date: Sat, 29 Aug 2015 14:26:28 +0000

Bug ID	11484
Summary	pcapng: NRB IPv4 address is endian swapped but shouldn't be
Product	Wireshark
Version	1.99.x (Experimental)
Hardware	All
OS	All
Status	UNCONFIRMED
Severity	Normal
Priority	Low
Component	Capture file support (libwiretap)
Assignee	bugzilla-admin@wireshark.org
Reporter	hadrielk@yahoo.com

Created attachment 13834 [details]
example file with problem - should be "127.0.0.1" but isn't

Build Information:
Wireshark 1.99.9 (v1.99.9rc0-436-g51e77b6 from master)

Copyright 1998-2015 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.17, with Cairo 1.14.2, with Pango 1.30.1, with
libpcap, without POSIX capabilities, with libz 1.2.8, with GLib 2.36.0, with
SMI
0.4.8, with c-ares 1.10.0, with Lua 5.2, with GnuTLS 2.12.19, with Gcrypt
1.5.0,
with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 24 2015
08:02:01), without AirPcap.

Running on Mac OS X 10.10.5, build 14F27 (Darwin 14.5.0), with locale
en_US.UTF-8, with libpcap version 1.5.3 - Apple version 47, with libz 1.2.5,
with GnuTLS 2.12.19, with Gcrypt 1.5.0.
Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz (with SSE4.2)

Built using clang 4.2.1 Compatible Apple LLVM 6.1.0 (clang-602.0.53).
--
The pcapng reader swaps the IPv4 address of a NRB Record if the pcapng SHB is
of a different endianness than the local machine. But the pcapng writer always
writes it in big endian/network-order format, because that's how it's always
stored inside of wireshark. Therefore, this bug makes a little-endian wireshark
incorrectly read the pcapng file's NRB from a big-endian wireshark, and
vice-versa.

Per the spec, it's always encoded in network order (4 separate bytes), and thus
should not be swapped on read.

The fix for this needs to be back-ported to 1.12 as well.

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 11484] pcapng: NRB IPv4 address is endian swapped but shouldn't be
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11484] pcapng: NRB IPv4 address is endian swapped but shouldn't be
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11484] pcapng: NRB IPv4 address is endian swapped but shouldn't be
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11484] pcapng: NRB IPv4 address is endian swapped but shouldn't be
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11484] pcapng: NRB IPv4 address is endian swapped but shouldn't be
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11484] pcapng: NRB IPv4 address is endian swapped but shouldn't be
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 10965] Can't change the default capture interface in Qt version
Next by Date: [Wireshark-bugs] [Bug 11484] pcapng: NRB IPv4 address is endian swapped but shouldn't be
Previous by thread: [Wireshark-bugs] [Bug 10965] Can't change the default capture interface in Qt version
Next by thread: [Wireshark-bugs] [Bug 11484] pcapng: NRB IPv4 address is endian swapped but shouldn't be
Index(es):
- Date
- Thread