Wireshark-dev: [Wireshark-dev] difference between windows and linux behavior
From: "John R." <jhoger@xxxxxxxxx>
Date: Fri, 23 Jun 2006 17:17:19 -0700
I use tcp_dissect_pdus in my dissector to desegment tcp and break
apart my higher level protocol. The tcp stack in my device ends up
batching a lot of packets together.

I have a 5 byte header including a start byte, a short of flags and a
length short. That's how much I tell tcp_dissect_pdus I need to
determine length of the full packet. I have validated that I am
calculating and returning the actual length properly (20 bytes). The
situation I have found is where 4 bytes of the 5 byte header is in one
packet and the last byte is in the next. This works under Linux, i.e.
the tcp segments are reassembled. But under Windows it behaves
differently... it seems to lose the 5 bytes (i.e. it never calls my
dissector with those bytes). But then it calls my dissector in the
middle of the packet just after the 5 bytes discarded causing an
attempt to dissect which fails since it is now out of sync with the
stream.

I am still on a fairly recent checkout of Ethereal, and I'm wondering if
a) Has this been seen before? Would updating to Wireshark help?
b) Where should I look to resolve this bug? Is it likely to be
completely within packet-tcp.c?

static guint get_mach1_pdu_len (tvbuff_t *tvb, int offset)
{
       guint16 header;
       guint16 data_len;
       guint16 total_len;

       /* get the flags to determine if the timestamp is included */
       header = tvb_get_ntohs (tvb, offset + 1);

       /* fetch the data length, mask off extra bits just in case */
       data_len = tvb_get_ntohs (tvb, offset + 3);
       data_len = data_len & 0x03ffU;

       /* return total of data length, timestamp, header and checksum
lengths */
       total_len = (data_len + ((header & 0x4000U) ? 8 : 0) + 5 + 1);
       return (total_len);
}

static void
dissect_mach1_tcp (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
       packet_ndx = 0;

       tcp_dissect_pdus (tvb, pinfo, tree, (gboolean) (!0), 5,
get_mach1_pdu_len, dissect_mach1);
}

The packet I am dissecting is
EF 61 02 00 (tail of first TCP segment)
06 44 9B 2A 74 00 06 15 EF 01 01 01 02 04 33 ED (from the subsequent segment)

What I see is that EF 61 02 00 06 are discarded and 44... is fed to my
dissector instead.

I have included the exports of the packet dumps at the end of this message.

Crossing my fingers that this is a known issue or triggers an idea somewhere...

Thanks,

-- John.

First packet:

No.     Time        Source                Destination           Protocol Info
    60 1.124572    192.168.20.108        192.168.20.117        Mach1
 M-> OCS::InventoryNtf [1151019636.396602] Packets=41

Frame 60 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: Impinj_00:00:05 (00:16:25:00:00:05), Dst:
Dell_0b:62:0b (00:11:43:0b:62:0b)
Internet Protocol, Src: 192.168.20.108 (192.168.20.108), Dst:
192.168.20.117 (192.168.20.117)
Transmission Control Protocol, Src Port: 49380 (49380), Dst Port: 3693
(3693), Seq: 29825, Ack: 0, Len: 1460
   Source port: 49380 (49380)
   Destination port: 3693 (3693)
   Sequence number: 29825    (relative sequence number)
   Next sequence number: 31285    (relative sequence number)
   Acknowledgement number: 0    (relative ack number)
   Header length: 20 bytes
   Flags: 0x0010 (ACK)
   Window size: 5840
   Checksum: 0x1b2a [correct]
   TCP segment data (4 bytes)
(some detail removed)

0000  00 11 43 0b 62 0b 00 16 25 00 00 05 08 00 45 00   ..C.b...%.....E.
0010  05 dc 80 e2 40 00 40 06 0a 08 c0 a8 14 6c c0 a8   ....@.@......l..
0020  14 75 c0 e4 0e 6d a9 07 04 b3 7f 6d 77 39 50 10   .u...m.....mw9P.
0030  16 d0 1b 2a 00 00 ef 61 01 00 17 44 9b 2a 74 00   ...*...a...D.*t.
0040  05 3c 81 00 0c 30 08 33 b2 dd d9 03 c0 00 08 67   .<...0.3.......g
0050  a1 00 00 67 30 00 0e fc 04 02 27 ef 61 01 00 17   ...g0.....'.a...
0060  44 9b 2a 74 00 05 40 47 00 0c 30 08 33 b2 dd d9   D.*t..@G..0.3...
0070  03 c0 00 08 67 88 00 00 6b 30 00 bb b7 04 02 bc   ....g...k0......
0080  ef 61 01 00 17 44 9b 2a 74 00 05 43 a2 00 0c 30   .a...D.*t..C...0
0090  08 33 b2 dd d9 03 c0 00 08 8c 2c 00 00 66 30 00   .3........,..f0.
00a0  82 91 04 02 ab ef 61 01 00 17 44 9b 2a 74 00 05   ......a...D.*t..
00b0  46 ae 00 0c 30 08 33 b2 dd d9 03 c0 00 08 4b 94   F...0.3.......K.
00c0  00 00 6a 30 00 2b 81 04 02 02 ef 61 01 00 17 44   ..j0.+.....a...D
00d0  9b 2a 74 00 05 4b 64 00 0c 30 08 33 b2 dd d9 03   .*t..Kd..0.3....
00e0  c0 00 08 4b 83 00 00 53 30 00 49 57 04 02 0c ef   ...K...S0.IW....
00f0  61 01 00 17 44 9b 2a 74 00 05 55 f5 00 0c 30 08   a...D.*t..U...0.
0100  33 b2 dd d9 03 c0 00 08 8c 49 00 00 60 30 00 be   3........I..`0..
0110  92 04 02 7c ef 61 01 00 17 44 9b 2a 74 00 05 5d   ...|.a...D.*t..]
0120  86 00 0c 30 08 33 b2 dd d9 03 c0 00 08 8c 1a 00   ...0.3..........
0130  00 6e 30 00 d4 04 04 02 c5 ef 61 01 00 17 44 9b   .n0.......a...D.
0140  2a 74 00 05 60 88 00 0c 30 08 33 b2 dd d9 03 c0   *t..`...0.3.....
0150  00 08 4b 8e 00 00 75 30 00 98 fa 04 02 c0 ef 61   ..K...u0.......a
0160  01 00 17 44 9b 2a 74 00 05 65 04 00 0c 30 08 33   ...D.*t..e...0.3
0170  b2 dd d9 03 c0 00 08 8c 28 00 00 7e 30 00 c2 15   ........(..~0...
0180  04 02 74 ef 61 01 00 17 44 9b 2a 74 00 05 69 96   ..t.a...D.*t..i.
0190  00 0c 30 08 33 b2 dd d9 03 c0 00 08 4b 76 00 00   ..0.3.......Kv..
01a0  75 30 00 f6 ed 04 02 6c ef 61 01 00 17 44 9b 2a   u0.....l.a...D.*
01b0  74 00 05 6f 13 00 0c 30 08 33 b2 dd d9 03 c0 00   t..o...0.3......
01c0  08 8c 4e 00 00 7e 30 00 ce 75 04 02 00 ef 61 01   ..N..~0..u....a.
01d0  00 17 44 9b 2a 74 00 05 72 58 00 0c 30 08 33 b2   ..D.*t..rX..0.3.
01e0  dd d9 03 c0 00 08 8c 39 00 00 68 30 00 c0 05 04   .......9..h0....
01f0  02 83 ef 61 01 00 17 44 9b 2a 74 00 05 75 30 00   ...a...D.*t..u0.
0200  0c 30 08 33 b2 dd d9 03 c0 00 08 4b 6f 00 00 7e   .0.3.......Ko..~
0210  30 00 75 f5 04 02 77 ef 61 01 00 17 44 9b 2a 74   0.u...w.a...D.*t
0220  00 05 82 cf 00 0c 30 08 33 b2 dd d9 03 c0 00 08   ......0.3.......
0230  4b 93 00 00 6d 30 00 5b 66 04 02 2e ef 61 01 00   K...m0.[f....a..
0240  17 44 9b 2a 74 00 05 85 f9 00 0c 30 08 33 b2 dd   .D.*t......0.3..
0250  d9 03 c0 00 08 8c 26 00 00 72 30 00 23 db 04 02   ......&..r0.#...
0260  7e ef 61 01 00 17 44 9b 2a 74 00 05 8b 8b 00 0c   ~.a...D.*t......
0270  30 08 33 b2 dd d9 03 c0 00 08 8c 3e 00 00 6d 30   0.3........>..m0
0280  00 b0 e2 04 02 56 ef 61 01 00 17 44 9b 2a 74 00   .....V.a...D.*t.
0290  05 93 2f 00 0c 30 08 33 b2 dd d9 03 c0 00 08 4b   ../..0.3.......K
02a0  75 00 00 6e 30 00 c6 8e 04 02 f7 ef 61 01 00 17   u..n0.......a...
02b0  44 9b 2a 74 00 05 96 33 00 0c 30 08 33 b2 dd d9   D.*t...3..0.3...
02c0  03 c0 00 08 8c 38 00 00 77 30 00 d0 24 04 02 ab   .....8..w0..$...
02d0  ef 61 01 00 17 44 9b 2a 74 00 05 9a 7d 00 0c 30   .a...D.*t...}..0
02e0  08 33 b2 dd d9 03 c0 00 08 05 c2 00 00 6a 30 00   .3...........j0.
02f0  3f 71 04 02 4f ef 61 01 00 17 44 9b 2a 74 00 05   ?q..O.a...D.*t..
0300  9d 98 00 0c 30 08 33 b2 dd d9 03 c0 00 08 8c 40   ....0.3........@
0310  00 00 6b 30 00 2f bb 04 02 74 ef 61 01 00 17 44   ..k0./...t.a...D
0320  9b 2a 74 00 05 a3 91 00 0c 30 08 33 b2 dd d9 03   .*t......0.3....
0330  c0 00 08 8c 27 00 00 70 30 00 33 fa 04 02 46 ef   ....'..p0.3...F.
0340  61 01 00 17 44 9b 2a 74 00 05 a9 1b 00 0c 30 08   a...D.*t......0.
0350  33 b2 dd d9 03 c0 00 08 86 8b 00 00 76 30 00 a8   3...........v0..
0360  57 04 02 b8 ef 61 02 00 01 44 9b 2a 74 00 05 a9   W....a...D.*t...
0370  fa 00 ee ef 61 02 00 06 44 9b 2a 74 00 05 b4 d8   ....a...D.*t....
0380  01 01 02 02 04 33 e1 ef 61 01 00 17 44 9b 2a 74   .....3..a...D.*t
0390  00 05 ba 45 00 0c 30 08 33 b2 dd d9 03 c0 00 08   ...E..0.3.......
03a0  4b 72 00 00 61 30 00 b6 69 04 02 8e ef 61 01 00   Kr..a0..i....a..
03b0  17 44 9b 2a 74 00 05 c0 90 00 0c 30 08 33 b2 dd   .D.*t......0.3..
03c0  d9 03 c0 00 08 8c 48 00 00 75 30 00 ae b3 04 02   ......H..u0.....
03d0  b2 ef 61 01 00 17 44 9b 2a 74 00 05 c5 f3 00 0c   ..a...D.*t......
03e0  30 08 33 b2 dd d9 03 c0 00 08 8c 33 00 00 5d 30   0.3........3..]0
03f0  00 61 4f 04 02 9f ef 61 01 00 17 44 9b 2a 74 00   .aO....a...D.*t.
0400  05 c9 24 00 0c 30 08 33 b2 dd d9 03 c0 00 08 8c   ..$..0.3........
0410  13 00 00 6d 30 00 45 2d 04 02 1b ef 61 01 00 17   ...m0.E-....a...
0420  44 9b 2a 74 00 05 d1 25 00 0c 30 08 33 b2 dd d9   D.*t...%..0.3...
0430  03 c0 00 08 8c 1f 00 00 66 30 00 84 a1 04 02 ac   ........f0......
0440  ef 61 01 00 17 44 9b 2a 74 00 05 d4 dd 00 0c 30   .a...D.*t......0
0450  08 33 b2 dd d9 03 c0 00 08 67 89 00 00 63 30 00   .3.......g...c0.
0460  ab 96 04 02 20 ef 61 01 00 17 44 9b 2a 74 00 05   .... .a...D.*t..
0470  d9 52 00 0c 30 08 33 b2 dd d9 03 c0 00 08 86 8b   .R..0.3.........
0480  00 00 70 30 00 a8 57 04 02 42 ef 61 01 00 17 44   ..p0..W..B.a...D
0490  9b 2a 74 00 05 dd 78 00 0c 30 08 33 b2 dd d9 03   .*t...x..0.3....
04a0  c0 00 08 4b 95 00 00 61 30 00 3b a0 04 02 22 ef   ...K...a0.;...".
04b0  61 01 00 17 44 9b 2a 74 00 05 e1 84 00 0c 30 08   a...D.*t......0.
04c0  33 b2 dd d9 03 c0 00 08 8c 2b 00 00 5c 30 00 f2   3........+..\0..
04d0  76 04 02 cd ef 61 01 00 17 44 9b 2a 74 00 05 e4   v....a...D.*t...
04e0  99 00 0c 30 08 33 b2 dd d9 03 c0 00 08 8c 2e 00   ...0.3..........
04f0  00 60 30 00 a2 d3 04 02 4f ef 61 01 00 17 44 9b   .`0.....O.a...D.
0500  2a 74 00 05 e9 0e 00 0c 30 08 33 b2 dd d9 03 c0   *t......0.3.....
0510  00 08 8c 29 00 00 63 30 00 d2 34 04 02 9b ef 61   ...)..c0..4....a
0520  01 00 17 44 9b 2a 74 00 05 ed 49 00 0c 30 08 33   ...D.*t...I..0.3
0530  b2 dd d9 03 c0 00 08 8c 36 00 00 63 30 00 31 ea   ........6..c0.1.
0540  04 02 b1 ef 61 01 00 17 44 9b 2a 74 00 05 f0 4f   ....a...D.*t...O
0550  00 0c 30 08 33 b2 dd d9 03 c0 00 08 8c 31 00 00   ..0.3........1..
0560  5c 30 00 41 0d 04 02 27 ef 61 01 00 17 44 9b 2a   \0.A...'.a...D.*
0570  74 00 05 f7 7b 00 0c 30 08 33 b2 dd d9 03 c0 00   t...{..0.3......
0580  08 49 e0 00 00 66 30 00 73 f0 04 02 d7 ef 61 01   .I...f0.s.....a.
0590  00 17 44 9b 2a 74 00 05 fa 7d 00 0c 30 08 33 b2   ..D.*t...}..0.3.
05a0  dd d9 03 c0 00 08 8c 35 00 00 64 30 00 01 89 04   .......5..d0....
05b0  02 8d ef 61 01 00 17 44 9b 2a 74 00 05 fd 23 00   ...a...D.*t...#.
05c0  0c 30 08 33 b2 dd d9 03 c0 00 08 05 a2 00 00 61   .0.3...........a
05d0  30 00 53 d7 04 02 66 ef 61 02 00 01 44 9b 2a 74   0.S...f.a...D.*t
05e0  00 06 0d 3a 00 5d ef 61 02 00                     ...:.].a..

Second packet:

No.     Time        Source                Destination           Protocol Info
    62 1.124918    192.168.20.108        192.168.20.117        TCP
 [TCP segment of a reassembled PDU]

Frame 62 (70 bytes on wire, 70 bytes captured)
   Arrival Time: Jun 22, 2006 16:40:29.268713000
   Time delta from previous packet: 0.000346000 seconds
   Time since reference or first frame: 1.124918000 seconds
   Frame Number: 62
   Packet Length: 70 bytes
   Capture Length: 70 bytes
   Protocols in frame: eth:ip:tcp:mach1:mach1
   Coloring Rule Name: TCP
   Coloring Rule String: tcp
Ethernet II, Src: Impinj_00:00:05 (00:16:25:00:00:05), Dst:
Dell_0b:62:0b (00:11:43:0b:62:0b)
   Destination: Dell_0b:62:0b (00:11:43:0b:62:0b)
       Address: Dell_0b:62:0b (00:11:43:0b:62:0b)
       .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
       .... ..0. .... .... .... .... = Locally Administrated Address:
This is a FACTORY DEFAULT address
   Source: Impinj_00:00:05 (00:16:25:00:00:05)
       Address: Impinj_00:00:05 (00:16:25:00:00:05)
       .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
       .... ..0. .... .... .... .... = Locally Administrated Address:
This is a FACTORY DEFAULT address
   Type: IP (0x0800)
Internet Protocol, Src: 192.168.20.108 (192.168.20.108), Dst:
192.168.20.117 (192.168.20.117)
   Version: 4
   Header length: 20 bytes
   Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
       0000 00.. = Differentiated Services Codepoint: Default (0x00)
       .... ..0. = ECN-Capable Transport (ECT): 0
       .... ...0 = ECN-CE: 0
   Total Length: 56
   Identification: 0x80e3 (32995)
   Flags: 0x04 (Don't Fragment)
       0... = Reserved bit: Not set
       .1.. = Don't fragment: Set
       ..0. = More fragments: Not set
   Fragment offset: 0
   Time to live: 64
   Protocol: TCP (0x06)
   Header checksum: 0x0fab [correct]
       Good: True
       Bad : False
   Source: 192.168.20.108 (192.168.20.108)
   Destination: 192.168.20.117 (192.168.20.117)
Transmission Control Protocol, Src Port: 49380 (49380), Dst Port: 3693
(3693), Seq: 31285, Ack: 0, Len: 16
   Source port: 49380 (49380)
   Destination port: 3693 (3693)
   Sequence number: 31285    (relative sequence number)
   Next sequence number: 31301    (relative sequence number)
   Acknowledgement number: 0    (relative ack number)
   Header length: 20 bytes
   Flags: 0x0018 (PSH, ACK)
       0... .... = Congestion Window Reduced (CWR): Not set
       .0.. .... = ECN-Echo: Not set
       ..0. .... = Urgent: Not set
       ...1 .... = Acknowledgment: Set
       .... 1... = Push: Set
       .... .0.. = Reset: Not set
       .... ..0. = Syn: Not set
       .... ...0 = Fin: Not set
   Window size: 5840
   Checksum: 0x33db [correct]
   TCP segment data (16 bytes)
   Reassembled PDU in frame: 62
   TCP segment data (5 bytes)
   TCP segment data (9 bytes)
Reassembled TCP Segments (5 bytes): #60(4), #62(1)
   Frame: 60, payload: 0-3 (4 bytes)
   Frame: 62, payload: 4-4 (1 bytes)
Impinj Mach1  #1 ???11::UNKNOWN

Frame (70 bytes):

0000  00 11 43 0b 62 0b 00 16 25 00 00 05 08 00 45 00   ..C.b...%.....E.
0010  00 38 80 e3 40 00 40 06 0f ab c0 a8 14 6c c0 a8   .8..@.@......l..
0020  14 75 c0 e4 0e 6d a9 07 0a 67 7f 6d 77 39 50 18   .u...m...g.mw9P.
0030  16 d0 33 db 00 00 06 44 9b 2a 74 00 06 15 ef 01   ..3....D.*t.....
0040  01 01 02 04 33 ed                                 ....3.

Reassembled TCP (5 bytes):

0000  ef 61 02 00 06                                    .a...