Hi List!
A colleque of mine told me of a bug in Ethereal he had discovered, when
using the "follow TCP stream" function in combination with some special
ISO8073 packets.
The packets will look like this in the "Packet Details" window:
-Frame
-Ethernet II
-Internet Protocol
-Transmission Control Protocol
-TPKT
-ISO8073
When using the "follow TCP stream" function on this kind of packets,
this results just in an empty TCP stream.
The problem is, that the generated filter string will have both source
and destination ports set to zero, which will obviously show no packets
at all.
Info: The usual protocol stack of an ISO8073 packet will look like this:
-Frame
-Ethernet II
-ISO8073
So it's obviously no TCP ports involved in the normal ISO8073
communication at all.
Just debugged a bit, points me to the following problem:
ISO8073 packets are "usually" used on top of Ethernet II, not on top of
TCP as in this special case. As this is true, the packet_info srcport
and destport fields are used
to carry the somewhat equally src_ref and dest_ref info from the ISO
packets. This is ok when used with ISO8073 only (see packet_clnp.c line
872 for details).
As the packets "making problems" are using TCP *and* ISO8073, we get a
conflict here, as both protocols tries to use this port fields to store
their info in.
I'm not sure, what the storing of the src_ref / dest_ref fields is good
for. This might be helpful for the conversation stuff, but I don't have
much knowledge of this things.
As there's a conflict in the protocols here, I need some advice to solve
this, as this bug can be annoying in everydays work...
Regards, ULFL
P.S: I can send an example capture file for this!