Ethereal-users: Re: [Ethereal-users] Ethereal 0.9.0: Reporting 'Malformed Frame: SKINNY'

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Joerg Mayer <jmayer@xxxxxxxxx>
Date: Thu, 31 Jan 2002 15:27:53 +0100
Ron,

On Thu, Jan 31, 2002 at 08:13:33AM -0600, Ron Flory wrote:
>  While monitoring a raw TCP stream (telnet protocol, but the server is on
> port 2000 on an embedded device) ethereal often reports it is seeing SKINNY
> frames.  This only appears to happen on frames 60-bytes in length, or less
> (probably due to the 64-byte ethernet minimum).

The Sinny protocol is the protocol by which Cisco IP-phones talk with the
IP-PBX. It uses TCP on Port 2000. The dissector has a small heuristic to
make sure that the protocol is in deed the skinny protocol. Unfortunately,
your telnet packets seem to fullfill the check

/* check, if this is really an SKINNY packet, they start with a length + 0 */

/* get relevant header information */
  hdr_data_length = tvb_get_letohl(tvb, 0);  <--- bytes 0-3 of the payload
  hdr_reserved    = tvb_get_letohl(tvb, 4);  <--- bytes 4-7
  data_messageid   = tvb_get_letohl(tvb, 8); <--- bytes 8-11
  data_size       = MIN(8+hdr_data_length, tvb_length(tvb)) - 0xC;

  /* hdr_data_length > 1024 is just a heuristic. Better values/checks welcome */  if (hdr_data_length < 4 || hdr_data_length > 1024 || hdr_reserved != 0) {
    /* Not an SKINNY packet, just happened to use the same port */
    call_dissector(data_handle,tvb, pinfo, tree);
    return;
  }

In case you don't mind recompiling try to change the test into:

  if (hdr_data_length < 4 || hdr_data_length > 1024 ||
        hdr_reserved != 0 || data_messageid > 0x011B) {

I don't have an idea how to improve the test further right now.

>  Ethereal is reporting SKINNY frames for those sent by the 'other' machine
> as well as the local Linux system.  Both machines are correctly 'padding'
> all ether frames out to the required 64 byte minimum.  My guess is that
> ethereal is being fooled by the Linux network drivers, which may be
> stripping the padd bytes at time of reception, and the dissector is seeing
> what it thinks are runt frames.
> 
>  An older version of ethereal (0.8.12 on an x86 Linux 2.2.18 machine ) does
> not exhibit this 'feature'.

Rudimentary support for the skinny protocol was added after 0.8.12.

--
Joerg Mayer                                          <jmayer@xxxxxxxxx>
I found out that "pro" means "instead of" (as in proconsul). Now I know
what proactive means.