Wireshark · Wireshark-dev: Re: [Wireshark-dev] SVN revision 35005 and heuristic dissectors

Wireshark-dev: Re: [Wireshark-dev] SVN revision 35005 and heuristic dissectors

From: Pascal Quantin <pascal.quantin@xxxxxxxxx>

Date: Wed, 24 Nov 2010 21:12:46 +0100

Hi Anders,

Le 24/11/2010 17:39, Anders Broman a écrit :

Hi,

Does it work better with revision 35020 or later?

It's working fine now.

Thanks,
Pascal.

Regards

Anders

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Pascal Quantin
Sent: den 24 november 2010 09:04
To: Developer support list for Wireshark
Subject: [Wireshark-dev] SVN revision 35005 and heuristic dissectors

Hi,

since revision 35005 and the commit of the ReLOAD framing dissector the UDP heuristic dissector I use (LTE-RLC) no longer works. My RLC PDU is seen as a ReLOAD packet.

When looking at the code, the function dissect_reload_framing_heur() calls dissect_reload_framing_message() that does almost no checks:

/* First, make sure we have enough data to do the check. */
if (effective_length < MIN_HDR_LENGTH)
    return 0;

/* Get the type */
type = tvb_get_guint8(tvb, 0);

if (type == DATA) {
    /* in the data type, check the reload token to be sure this
       is a reLoad packet */
    message_length = (tvb_get_ntohs(tvb, 1 + 4)<<8)+ tvb_get_guint8(tvb, 1 + 4 + 2);
    if (message_length < MIN_RELOADDATA_HDR_LENGTH) {
      return 0;
    }
    relo_token = tvb_get_ntohl(tvb,1 + 4 + 3);
    if (relo_token != RELOAD_TOKEN) {
      return 0;
    }
}

The LTE-RLC heuristic dissector adds the "rlc-lte" string at the beginning of the UDP packet and unfortunately it is caught by the code above.

I'm not familiar with this protocol but I guess there is probably a way to avoid breaking other dissectors. Adding the following patch helps on my side but I'm not sure it is fully valid and it still seems weak to me:

Index: epan/dissectors/packet-reload-framing.c
===================================================================
--- epan/dissectors/packet-reload-framing.c    (revision 35018)
+++ epan/dissectors/packet-reload-framing.c    (working copy)
@@ -143,9 +143,10 @@
     if (relo_token != RELOAD_TOKEN) {
       return 0;
     }
+ } else if (type != ACK) {
+    return 0;
   }

-
   /* The message seems to be a valid reLOAD framing message! */

   col_set_str(pinfo->cinfo, COL_PROTOCOL, "RELOAD Frame");

Thanks,
Pascal.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

References:
- [Wireshark-dev] SVN revision 35005 and heuristic dissectors
  - From: Pascal Quantin
- Re: [Wireshark-dev] SVN revision 35005 and heuristic dissectors
  - From: Anders Broman

Prev by Date: [Wireshark-dev] Messy capture_if_details_dlg_win32.c
Next by Date: [Wireshark-dev] a request for help that might expand your market
Previous by thread: Re: [Wireshark-dev] SVN revision 35005 and heuristic dissectors
Next by thread: [Wireshark-dev] Segmentation Fault in Simple Dissector-Plugin
Index(es):
- Date
- Thread