> I have just updated to Wireshark 1.12.4 and I’m trying to build a dissector from
> our CORBA IDL. I have done this before for earlier versions of Wireshark, so know the basic procedure.
> I am building on Windows 7
> Then when I come to use it I am getting lots of “Malformed Packet” errors and \000 printed on the decoded string
I have done a bit more investigation and is seems there are two problems. The \000 on the end of the decoded strings is nothing to do with my dissector. This is a problem with the standard GIOP dissector. The code that displays this string is in packet-giop.c. In dissect_giop_request_1_2 there is the following...
len = get_CDR_string(tvb, &operation, &offset, stream_is_big_endian, GIOP_HEADER_SIZE);
proto_tree_add_uint (request_tree, hf_giop_req_operation_len, tvb, offset - 4 - len, 4, len);
if ( len > 0)
{
col_append_fstr(pinfo->cinfo, COL_INFO, ": op=%s", format_text(operation, (size_t)len));
proto_tree_add_string(request_tree, hf_giop_req_operation, tvb, offset - len, len, operation);
}
It would appear format_text includes the terminating NULL byte and returns this as the \000 on the end of the string.
I don't know if the fault is with format_text, the length returned by get_CDR_string or the length passed to format_text. If I change the call to use len-1 the GIOP requests are printed correctly.
Looking at the Malformed packet errors. They are always caused by the system thinking there has been an exception. Opening the packet it says for example..
Expert Info (Error/Malformed): Malformed Packet (Exception occurred)
But there hasn't been a CORBA exception. This happens in both requests and replies and always happens with the same requests. So some requests and replies always cause this errors, others don't. I haven't been able to work out what is causing this, but is does seem to be a problem with my dissector. If I turn off my dissector the errors go away.
So any help with this would be much appreciated.
Andy Ling
This email has been scanned for email related threats and delivered safely by Mimecast.
For more information please visit http://www.mimecast.com