Dne 16.09.10 19:52, Guy Harris napsal(a):
On Sep 16, 2010, at 7:12 AM, Petr Sumbera wrote:
I didn't say how big the *packet* is, I said how big the *header* is. IPv4 has two length fields, the header length, which is what you say is zero, and the total length. If you only know the total length, you *CANNOT* determine the header length. What you originally said was
But the problem is that stored packets for *outgoing* traffic doesn't
contain "Header length" (it's zero as at layer where it was captured it
wasn't filled, the same case is for "Header checksum").
dissect_ip() for such packets will report just:
"Header length: %u bytes (bogus, must be at least %u)".
which was referring to the header length, not the total length.
My mistake I found wrong occurrence of "bogus" word and worked with it.
In reality I'm seeing only this:
Total length: 0 bytes (bogus, less than header length 20)
You would have to make a copy of the packet data and construct a new tvbuff - and even that, as noted, can not and will not fix
I guess I should go this way then?
For now I did another quick hack you probably wouldn't like it:
--- wireshark-1.2.10/epan/dissectors/packet-ip.c.orig
+++ wireshark-1.2.10/epan/dissectors/packet-ip.c
@@ -1487,7 +1487,7 @@
if (ip_tso_supported && !iph->ip_len)
iph->ip_len = tvb_reported_length(tvb);
- if (iph->ip_len < hlen) {
+ if (iph->ip_len < hlen && (iph->ip_len!=0 && tvb_get_ntohs(tvb,
offset + 10)!=0)) {
if (check_col(pinfo->cinfo, COL_INFO))
col_add_fstr(pinfo->cinfo, COL_INFO, "Bogus IP length (%u, less
than header length %u)",
iph->ip_len, hlen);
@@ -1504,7 +1504,8 @@
* obviously bogus, adjust the length of this tvbuff to include only
* the IP datagram.
*/
- set_actual_length(tvb, iph->ip_len);
+ if (iph->ip_len)
+ set_actual_length(tvb, iph->ip_len);
if (tree)
proto_tree_add_uint(ip_tree, hf_ip_len, tvb, offset + 2, 2,
iph->ip_len);
Thanks for helping me with this!
Petr