[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-bugs
Subject: [Wireshark-bugs] [Bug 15655] New: Dissector created by LUA does not dissect TCP sequence properly wh
From: bugzilla-daemon () wireshark ! org
Date: 2019-03-28 11:49:18
Message-ID: bug-15655-15 () https ! bugs ! wireshark ! org/bugzilla/
[Download RAW message or body]
--15537737581.2b78.19293
Date: Thu, 28 Mar 2019 11:49:18 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.wireshark.org/bugzilla/
Auto-Submitted: auto-generated
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15655
Bug ID: 15655
Summary: Dissector created by LUA does not dissect TCP sequence
properly when the capture is truncated
Product: Wireshark
Version: 3.0.0
Hardware: x86-64
OS: Windows 10
Status: UNCONFIRMED
Severity: Major
Priority: Low
Component: Build process
Assignee: bugzilla-admin@wireshark.org
Reporter: xqjcool@gmail.com
Target Milestone: ---
Created attachment 17016
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17016&action=edit
truncated capture, max size 256
Build Information:
Version 3.0.0 (v3.0.0-0-g937e33de)
Copyright 1998-2019 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software;
see the source for copying conditions. There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.12.1, with WinPcap SDK (WpdPack) 4.1.2, with GLib
2.52.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4,
with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with
libxml2 2.9.9, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with
bcg729.
Running on 64-bit Windows 10 (1803), build 17134, with Intel(R) Core(TM)
i3-3240 CPU @ 3.40GHz (with SSE4.2), with 8141 MB of physical memory, with
locale Chinese (Simplified)_China.936, with Npcap version 0.99-r9, based on
libpcap version 1.8.1, with GnuTLS 3.6.3, with Gcrypt 1.8.3, without AirPcap,
binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017
(VC++ 14.12, build 25835).
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information
--
I wrote a dissector which dissect the inner ip packet.
packet format is as below.
> --ETH--|--IP--|--TCP--|==Inner Wan==|==Inner IP==|==Inner TCP==|
normal packet is dissected correctly.
while the pcap is truncated to 256 bytes per packet.
Inner IP will alarm that "Pv4 total length exceeds packet length (186 bytes)".
Inner TCP can't parse sequence correctly because it thought the segment len is
146.
Frame 20: 1270 bytes on wire (10160 bits), 256 bytes captured (2048 bits)
Ethernet II, Src: 00:00:00_00:70:01 (00:00:00:00:70:01), Dst: NetSys_00:00:00
(00:02:00:00:00:00)
Internet Protocol Version 4, Src: 172.172.3.135, Dst: 172.172.3.127
Transmission Control Protocol, Src Port: 17152, Dst Port: 17152, Seq: 406, Ack:
2827, Len: 1208
Inner Wan [Version:32] [Flags:0] [Checksum:56364] [Policy:536871014]
Internet Protocol Version 4, Src: 13.107.6.171, Dst: 172.172.3.127
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x68 (DSCP: AF31, ECN: Not-ECT)
Total Length: 1200
[Expert Info (Error/Protocol): IPv4 total length exceeds packet length
(186 bytes)]
Identification: 0x5954 (22868)
Flags: 0x4000, Don't fragment
Time to live: 114
Protocol: TCP (6)
Header checksum: 0xe64a [validation disabled]
[Header checksum status: Unverified]
Source: 13.107.6.171
Destination: 172.172.3.127
Transmission Control Protocol, Src Port: 443, Dst Port: 25343, Seq: 1, Ack: 1,
Len: 146
--
You are receiving this mail because:
You are watching all bug changes.
--15537737581.2b78.19293
Date: Thu, 28 Mar 2019 11:49:18 +0000
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.wireshark.org/bugzilla/
Auto-Submitted: auto-generated
<html>
<head>
<base href="https://bugs.wireshark.org/bugzilla/" />
<style>
body, th, td {
font-size: 12px;
font-family: Arial, Helvetica, sans-serif; }
p, pre { margin-top: 1em; }
pre {
font-family: Bitstream Vera Sans Mono, Consolas, Lucida Console, \
monospace; white-space: pre-wrap;
}
table { border: 0; border-spacing: 0; border-collapse: collapse; }
th, td {
padding: 0.25em;
padding-left: 0.5em;
padding-right: 0.5em;
}
th { background: rgb(240, 240, 240); }
th.th_top { border-bottom: 1px solid rgb(116, 126, 147); }
th.th_left { border-right: 1px solid rgb(116, 126, 147); }
td.removed { background-color: #ffcccc; }
td.added { background-color: #e4ffc7; }
</style>
</head>
<body><table>
<tr>
<th class="th_left">Bug ID</th>
<td><a class="bz_bug_link
bz_status_UNCONFIRMED "
title="UNCONFIRMED - Dissector created by LUA does not dissect TCP sequence \
properly when the capture is truncated" \
href="https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15655">15655</a> </td>
</tr>
<tr>
<th class="th_left">Summary</th>
<td>Dissector created by LUA does not dissect TCP sequence properly when \
the capture is truncated </td>
</tr>
<tr>
<th class="th_left">Product</th>
<td>Wireshark
</td>
</tr>
<tr>
<th class="th_left">Version</th>
<td>3.0.0
</td>
</tr>
<tr>
<th class="th_left">Hardware</th>
<td>x86-64
</td>
</tr>
<tr>
<th class="th_left">OS</th>
<td>Windows 10
</td>
</tr>
<tr>
<th class="th_left">Status</th>
<td>UNCONFIRMED
</td>
</tr>
<tr>
<th class="th_left">Severity</th>
<td>Major
</td>
</tr>
<tr>
<th class="th_left">Priority</th>
<td>Low
</td>
</tr>
<tr>
<th class="th_left">Component</th>
<td>Build process
</td>
</tr>
<tr>
<th class="th_left">Assignee</th>
<td>bugzilla-admin@wireshark.org
</td>
</tr>
<tr>
<th class="th_left">Reporter</th>
<td>xqjcool@gmail.com
</td>
</tr>
<tr>
<th class="th_left">Target Milestone</th>
<td>---
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=17016" \
name="attach_17016" title="truncated capture, max size 256">attachment 17016</a> <a \
href="attachment.cgi?id=17016&action=edit" title="truncated capture, max size \
256">[details]</a></span> truncated capture, max size 256
Build Information:
Version 3.0.0 (<a href="https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=937e33de">v3.0.0-0-g937e33de</a>) \
Copyright 1998-2019 Gerald Combs <<a \
href="mailto:gerald@wireshark.org">gerald@wireshark.org</a>> and \
contributors. License GPLv2+: GNU GPL version 2 or later
<<a href="http://www.gnu.org/licenses/old-licenses/gpl-2.0.html">http://www.gnu.org/licenses/old-licenses/gpl-2.0.html</a>> \
This is free software; see the source for copying conditions. There is NO warranty; \
not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.12.1, with WinPcap SDK (WpdPack) 4.1.2, with GLib
2.52.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4,
with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with
libxml2 2.9.9, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with
bcg729.
Running on 64-bit Windows 10 (1803), build 17134, with Intel(R) Core(TM)
i3-3240 CPU @ 3.40GHz (with SSE4.2), with 8141 MB of physical memory, with
locale Chinese (Simplified)_China.936, with Npcap version 0.99-r9, based on
libpcap version 1.8.1, with GnuTLS 3.6.3, with Gcrypt 1.8.3, without AirPcap,
binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017
(VC++ 14.12, build 25835).
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and <a \
href="http://www.wireshark.org">http://www.wireshark.org</a> for more \
information
--
I wrote a dissector which dissect the inner ip packet.
packet format is as below.
> --ETH--|--IP--|--TCP--|==Inner Wan==|==Inner IP==|==Inner TCP==|
normal packet is dissected correctly.
while the pcap is truncated to 256 bytes per packet.
Inner IP will alarm that "Pv4 total length exceeds packet length (186 \
bytes)". Inner TCP can't parse sequence correctly because it thought the \
segment len is 146.
Frame 20: 1270 bytes on wire (10160 bits), 256 bytes captured (2048 bits)
Ethernet II, Src: 00:00:00_00:70:01 (00:00:00:00:70:01), Dst: NetSys_00:00:00
(00:02:00:00:00:00)
Internet Protocol Version 4, Src: 172.172.3.135, Dst: 172.172.3.127
Transmission Control Protocol, Src Port: 17152, Dst Port: 17152, Seq: 406, Ack:
2827, Len: 1208
Inner Wan [Version:32] [Flags:0] [Checksum:56364] [Policy:536871014]
Internet Protocol Version 4, Src: 13.107.6.171, Dst: 172.172.3.127
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x68 (DSCP: AF31, ECN: Not-ECT)
Total Length: 1200
[Expert Info (Error/Protocol): IPv4 total length exceeds packet length
(186 bytes)]
Identification: 0x5954 (22868)
Flags: 0x4000, Don't fragment
Time to live: 114
Protocol: TCP (6)
Header checksum: 0xe64a [validation disabled]
[Header checksum status: Unverified]
Source: 13.107.6.171
Destination: 172.172.3.127
Transmission Control Protocol, Src Port: 443, Dst Port: 25343, Seq: 1, Ack: 1,
Len: 146</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>
--15537737581.2b78.19293--
[Attachment #3 (text/plain)]
___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic