[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-dev
Subject: Re: [Wireshark-dev] SVN revision 35005 and heuristic dissectors
From: Pascal Quantin <pascal.quantin () gmail ! com>
Date: 2010-11-24 20:12:46
Message-ID: 4CED71BE.2030507 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Anders,
Le 24/11/2010 17:39, Anders Broman a écrit :
> Hi,
> Does it work better with revision 35020 or later?
It's working fine now.
Thanks,
Pascal.
> Regards
> Anders
>
> ------------------------------------------------------------------------
> *From:* wireshark-dev-bounces@wireshark.org
> [mailto:wireshark-dev-bounces@wireshark.org] *On Behalf Of *Pascal Quantin
> *Sent:* den 24 november 2010 09:04
> *To:* Developer support list for Wireshark
> *Subject:* [Wireshark-dev] SVN revision 35005 and heuristic dissectors
>
> Hi,
>
> since revision 35005 and the commit of the ReLOAD framing dissector
> the UDP heuristic dissector I use (LTE-RLC) no longer works. My RLC
> PDU is seen as a ReLOAD packet.
>
> When looking at the code, the function dissect_reload_framing_heur()
> calls dissect_reload_framing_message() that does almost no checks:
>
> /* First, make sure we have enough data to do the check. */
> if (effective_length < MIN_HDR_LENGTH)
> return 0;
>
> /* Get the type */
> type = tvb_get_guint8(tvb, 0);
>
> if (type == DATA) {
> /* in the data type, check the reload token to be sure this
> is a reLoad packet */
> message_length = (tvb_get_ntohs(tvb, 1 + 4)<<8)+
> tvb_get_guint8(tvb, 1 + 4 + 2);
> if (message_length < MIN_RELOADDATA_HDR_LENGTH) {
> return 0;
> }
> relo_token = tvb_get_ntohl(tvb,1 + 4 + 3);
> if (relo_token != RELOAD_TOKEN) {
> return 0;
> }
> }
>
> The LTE-RLC heuristic dissector adds the "rlc-lte" string at the
> beginning of the UDP packet and unfortunately it is caught by the code
> above.
>
> I'm not familiar with this protocol but I guess there is probably a
> way to avoid breaking other dissectors. Adding the following patch
> helps on my side but I'm not sure it is fully valid and it still seems
> weak to me:
>
> Index: epan/dissectors/packet-reload-framing.c
> ===================================================================
> --- epan/dissectors/packet-reload-framing.c (revision 35018)
> +++ epan/dissectors/packet-reload-framing.c (working copy)
> @@ -143,9 +143,10 @@
> if (relo_token != RELOAD_TOKEN) {
> return 0;
> }
> + } else if (type != ACK) {
> + return 0;
> }
>
> -
> /* The message seems to be a valid reLOAD framing message! */
>
> col_set_str(pinfo->cinfo, COL_PROTOCOL, "RELOAD Frame");
>
>
>
> Thanks,
> Pascal.
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
Hi Anders,<br>
<br>
Le 24/11/2010 17:39, Anders Broman a écrit :
<blockquote type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta content="MSHTML 6.00.6001.18527" name="GENERATOR">
<div><span class="382223916-24112010"><font color="#0000ff"
face="Arial" size="2">Hi,</font></span></div>
<div><span class="382223916-24112010"><font color="#0000ff"
face="Arial" size="2">Does it work better with revision
35020 or later?</font></span></div>
</blockquote>
It's working fine now.<br>
<br>
Thanks,<br>
Pascal.<br>
<br>
<blockquote type="cite">
<div><span class="382223916-24112010"><font color="#0000ff"
face="Arial" size="2">Regards</font></span></div>
<div><span class="382223916-24112010"><font color="#0000ff"
face="Arial" size="2">Anders</font></span></div>
<br>
<div class="OutlookMessageHeader" dir="ltr" align="left"
lang="en-us">
<hr tabindex="-1">
<font face="Tahoma" size="2"><b>From:</b>
<a class="moz-txt-link-abbreviated" \
href="mailto:wireshark-dev-bounces@wireshark.org">wireshark-dev-bounces@wireshark.org</a>
[<a class="moz-txt-link-freetext" \
href="mailto:wireshark-dev-bounces@wireshark.org">mailto:wireshark-dev-bounces@wireshark.org</a>] \
<b>On Behalf Of </b>Pascal Quantin<br>
<b>Sent:</b> den 24 november 2010 09:04<br>
<b>To:</b> Developer support list for Wireshark<br>
<b>Subject:</b> [Wireshark-dev] SVN revision 35005 and
heuristic dissectors<br>
</font><br>
</div>
Hi,<br>
<br>
since revision 35005 and the commit of the ReLOAD framing
dissector the UDP heuristic dissector I use (LTE-RLC) no longer
works. My RLC PDU is seen as a ReLOAD packet.<br>
<br>
When looking at the code, the function
dissect_reload_framing_heur() calls
dissect_reload_framing_message() that does almost no checks:<br>
<br>
/* First, make sure we have enough data to do the check. */<br>
if (effective_length < MIN_HDR_LENGTH)<br>
return 0;<br>
<br>
/* Get the type */<br>
type = tvb_get_guint8(tvb, 0);<br>
<br>
if (type == DATA) {<br>
/* in the data type, check the reload token to be sure \
this<br> is a reLoad packet */<br>
message_length = (tvb_get_ntohs(tvb, 1 + 4)<<8)+
tvb_get_guint8(tvb, 1 + 4 + 2);<br>
if (message_length < MIN_RELOADDATA_HDR_LENGTH) {<br>
return 0;<br>
}<br>
relo_token = tvb_get_ntohl(tvb,1 + 4 + 3);<br>
if (relo_token != RELOAD_TOKEN) {<br>
return 0;<br>
}<br>
}<br>
<br>
The LTE-RLC heuristic dissector adds the "rlc-lte" string at the
beginning of the UDP packet and unfortunately it is caught by the
code above.<br>
<br>
I'm not familiar with this protocol but I guess there is probably
a way to avoid breaking other dissectors. Adding the following
patch helps on my side but I'm not sure it is fully valid and it
still seems weak to me:<br>
<br>
Index: epan/dissectors/packet-reload-framing.c<br>
===================================================================<br>
--- epan/dissectors/packet-reload-framing.c (revision \
35018)<br>
+++ epan/dissectors/packet-reload-framing.c (working \
copy)<br> @@ -143,9 +143,10 @@<br>
if (relo_token != RELOAD_TOKEN) {<br>
return 0;<br>
}<br>
+ } else if (type != ACK) {<br>
+ return 0;<br>
}<br>
<br>
-<br>
/* The message seems to be a valid reLOAD framing message! */<br>
<br>
col_set_str(pinfo->cinfo, COL_PROTOCOL, "RELOAD Frame");<br>
<br>
<br>
<br>
Thanks,<br>
Pascal.<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <a class="moz-txt-link-rfc2396E" \
href="mailto:wireshark-dev@wireshark.org"><wireshark-dev@wireshark.org></a>
Archives: <a class="moz-txt-link-freetext" \
href="http://www.wireshark.org/lists/wireshark-dev">http://www.wireshark.org/lists/wireshark-dev</a>
Unsubscribe: <a class="moz-txt-link-freetext" \
href="https://wireshark.org/mailman/options/wireshark-dev">https://wireshark.org/mailman/options/wireshark-dev</a>
<a class="moz-txt-link-freetext" \
href="mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe">mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe</a></pre>
</blockquote>
<br>
</body>
</html>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic