Ethereal-dev: [Ethereal-dev] WCP decode not working?
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Visser, Martin (SNO)" <Martin.Visser@xxxxxxxxxx>
Date: Tue, 17 Apr 2001 09:04:43 +0800
Hi, I'm being a bit lazy but I noticed that Wellfleet Compression Protocol purports to be support in 0.8.17. I have attached a PCAP capture in which frames 3, 4 and 7 ought to be WCP. Ethereal only says it is PPP compressed but doesn't decode any further? Is there something wrong here? I captured these using the Nortel PcapTap program (also known as walts) which captures directly from the serial interface on the router. As long as I specified the .enc file I saved as PPP format it would flag such packets as WCP (though not decode them). Below is the text of the 3rd frame from PcapTap. Data File: C:/PROGRA~1/PcapTap/dttwcp.enc Print Date: Tue Apr 17 09:51:23 AUS Eastern Daylight Time 2001 Frame Delta T Length Dir Dest Address Source Address 52 14:42:52.579 39 Tx Frame 52 Date and Time: 22-Mar-2001 14:42:52.579 Point to Point Protocol (PPP) byte 0 addr 0xff 8 bits contrl 0x3 8 bits protocol WCP 16 bits WCP Header byte 4 op_code DATA_COMPRESSED_IND 4 bits seq_no 2764 12 bits DATA byte 6 0: 82208500 0040d741 20850120 9f065085 . [email protected] .. ..P. 10: 02210000 d9285190 014f20e6 086d8c22 .!...(Q..O ..m." 20: 29 0: ff0300fd 0acc8220 85000040 d7412085 ....... [email protected] . 10: 01209f06 50850221 0000d928 5190014f . ..P..!...(Q..O 20: 20e6086d 8c2229 ..m.") Martin Visser Technology Consultant - Compaq Global Services Compaq Computer Australia 410 Concord Road Rhodes, Sydney NSW 2138 Australia Phone: +61-2-9022-5630 Mobile: +61-411-254-513 Fax:+61-2-9022-7001 Email:martin.visser@xxxxxxxxxx > -----Original Message----- > From: Guy Harris [mailto:guy@xxxxxxxxxx] > Sent: Tuesday, 17 April 2001 9:56 AM > To: Ronnie Sahlberg > Cc: ethereal-dev@xxxxxxxxxxxx > Subject: Re: [Ethereal-dev] IP defragment > > > > please consider for cvs > > The code that does > > ipfk->srcip = *((guint32 *)pinfo->src.data); > ipfk->dstip = *((guint32 *)pinfo->dst.data); > > may crash on platforms with strict memory alignment requirements (and, > in fact, *did* crash on my SPARC/Solaris/GCC platform at work on at > least one capture file); do > > memcpy(&ipfk->srcip, pinfo->src.data, sizeof ipfk->srcip); > memcpy(&ipfk->dstip, pinfo->dst.data, sizeof ipfk->dstip); > > instead. > > Note also that "g_malloc()" is defined to abort the application if you > run out of memory: > > http://developer.gnome.org/doc/API/glib/glib-memory-allocation.html "Note: If any call to allocate memory fails, the application is terminated. This also means that there is no need to check if the call succeeded." so it shouldn't check for "g_malloc()" returning NULL - it never returns NULL. You also need to save and restore some of the members of "pi" before calling a subdissector, so that old-style (non-tvbuffified) dissectors work correctly. In addition, given that the reassembly code checks the IP checksum, you have to compute it *regardless* of whether the "tree" argument is null or not. I've attached a patch to the "packet-ip.c" you sent out, which includes those fixes. Another thing you'll need to do is to arrange that if not all the data in a fragment is present - i.e., if "tvb_reported_length(tvb)" is creater than "tvb_length(tvb)" - you don't add it to the fragment hash table. This can happen if the capture was done with a snapshot length less than the MTU of the network; Ethereal/Tethereal, snoop, and Microsoft Network Monitor default to a large or "infinite" snapshot length, so, at least with those programs, it'll happen only if the user explicitly specifies a smaller snapshot length, but the default snapshot length in tcpdump is 68 bytes, so it'll happen with tcpdump *unless* the user specifies a larger snapshot length. > * multiple-tails, overlap-conflict and too-long-fragmnet will also set > "ip.fragments.error" which is easier to use in a > display-filter. Perhaps what we need here is either 1) a generic "error" flag that can be set on a frame, with an expression such as "error" checking it or 2) a way of marking a protocol tree item as an error indication, which could not only be filtered for with a special expression such as "error" but could perhaps also be made a different color (defaulting, perhaps, to the standard color, but allowing the user to specify a different color).
Attachment:
wcp.pcap
Description: Binary data
- Follow-Ups:
- Re: [Ethereal-dev] WCP decode not working?
- From: Guy Harris
- Re: [Ethereal-dev] WCP decode not working?
- Prev by Date: Re: [Ethereal-dev] IP defragment
- Next by Date: Re: [Ethereal-dev] WCP decode not working?
- Previous by thread: Re: [Ethereal-dev] On hook, MGCP
- Next by thread: Re: [Ethereal-dev] WCP decode not working?
- Index(es):