Wireshark-dev: Re: [Wireshark-dev] TCAP SRT incorrectly matches TC_BEGINs and TC_ENDs
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Thu, 25 May 2017 19:44:05 +0200
Hi Conall,

2017-05-24 18:19 GMT+02:00 Conall Prendergast <conall.prendergast@xxxxxxxx>:
Hi All,

I have been analyzing a TCAP trace with wireshark with the tcap.srt and tcap.persistentsrt options set to "TRUE".

This should correctly match TCAP Begins (using 2 pass analysis) with their associated TCAP Ends, and vise-versa.

I have attached two files, "correct_matches.pcap" and "incorrect_matches.pcap", that demonstrate some spurious behavior. These two files are from the same feed, and "correct_matches.pcap" contains packets 5, 11, 15, and 19 from "incorrect_matches.pcap".

"correct_matches.pcap" will correctly match packet 1 (TC_BEGIN) with packet 4 (TC_END), and packets 2 and 3 similarly, however, when these packets are analysed with the rest of the feed (incorrect_matches.pcap), these very same packets do not match up. 

Instead, packet 5 (packet 1 from "correct_matches") matches with packet 15 (3) instead of packet 19 (4).

As you can guess, this is unexpected behavior.

So in summary, correct_maches.pcap contains:
1 => 4
2 => 3

incorrect_matches contains:
5 => 15
11 => x
x => 19

and the mapping of correct_matches to incorrect_matches is:
1 => 5
2 => 11
3 => 15
4 => 19


Any and all help is appreciated.
Thanks,
Conall

I had a quick look art the code and the issue is that the identification of the TC_END is done exclusively on the destination address (11330) and dtid (0b), without taking into consideration the origin address. And 2 transaction used the same destination address and dtid, confusing the code. The first one is between 11330 and 11332 and starts at frame 5, the second one is between 11330 and 11334 and starts at frame 11.
A fix could be to consider the source address in the hash comparison. I tried it locally and it seems to work fine with your sample.
But I do not know TCAP protocol. Can we assume that a transaction (TC_BEGIN) between host a and b will always stay between both hosts, or could it be transferred from host b to host c so that host c could reply to host a (I hope my question is clear ;))? If not, then my change is safe.

BR,
Pascal.

PS: could you fill a bug with your description and traces here: https://bugs.wireshark.org/bugzilla/ ? I will upload my fix attempt for review afterwards. If you run on Windows, I could also provide you a test build allowing you to test it further and confirm everything is fine. If you run on another platform, I can provide the patch but you will have to compile Wireshark yourself.