Ethereal-users: Re: [Ethereal-users] Error in displaying DNP frames ethereal 0.10.7
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 17 Dec 2004 01:28:36 -0800
Zeev Yoram-BYZ008 wrote:
I am using ethereal for a year now, and I am very satisfied. Recently I upgraded to recent release 0.10.7 from 0.10.0, and found out you added support to DNP3 protocol. This is great. There is one problem - ethereal assume there is only one DNP packet per Ethernet frame, which is not the case. There may be several DNP packets as in the following example.
DNP runs over TCP, and apparently has a length field in the packet header, so the DNP dissector should be converted to use tcp_dissect_pdus(), which would not only make it handle multiple DNP packets per TCP segment, it'd make it handle DNP packets that cross TCP segment boundaries.
It appears that the DNP User Group requires you to join in order to download the documentation - you can only get a printed copy if you're not a member, and that costs USD 400. I'm not a member of the DNP group, and don't have the documentation, so I don't know whether the length field is:
the length of the packet, minus the length of the header or some part of the header;
the length of the packet, including the header; something else;and without knowing that I can't modify the dissector to use tcp_dissect_pdus().
Fortunately, that's *all* I'd need to know to convert it, although a copy of the capture file from which you got that example would be helpful for testing the changes. If you could indicate what the length field indicates, and send me a capture file with which to test the changes, I could check in changes to use tcp_dissect_pdus().
Or, if somebody else familiar with the protocol wants to make the changes, here's a summary of what's needed:
1) rename "dissect_dnp3()" to "dissect_dnp3_pdu()";2) add a routine "get_dnp3_pdu_len()" which takes as arguments a "tvbuff_t *' and an "int", and returns a "guint"; it would fetch the length field from the PDU with
length = tvb_get_guint8(tvb, offset + DNP3_DL_LEN_OFFS);and returns that value, plus whatever additional amount, if necessary, makes it equal to the total length of the DNP3 PDU;
3) make "dissect_dnp3()" look like: static void dissect_dnp3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 3, get_dnp3_pdu_len, dissect_dnp3_pdu); }4) for extra credit, add a prefeerence setting to control whether to reassemble DNP3 PDUs split across TCP segment boundaries, by:
1) adding a "dnp3_desegment" variable; static gboolean dnp3_desegment = TRUE; 2) add a preference by adding module_t *dnp3_module;to the list of variables in "proto_register_dnp3()", and adding, after the "proto_register_subtree_array()" call:
dnp3_module = prefs_register_protocol(proto_dnp3, NULL); prefs_register_boolean_preference(dnp3_module, "desegment", "Reassemble DNP3 message spanning TCP segments","Whether the DNP3 dissector should reassemble messages spanning multiple TCP segments." " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
&dnp3_desegment);3) instead of passing TRUE as the fourth argument to "tcp_dissect_pdus()", pass "dnp3_desegment".
Ethereal shows DNP as 255 bytes although there several 255 DNP frames. What is more
disturbing is that user thinks it has 255 bytes when it actual gets 1510 bytes on wire.
Thanks, Yoram No. Time Source Destination Protocol Info 14 8.672306 145.9.199.126 145.9.199.22 DNP 3.0 len=255, from 1000 to 1, Unconfirmed User Data (Application Layer Message unreassembled) Frame 14 (1510 bytes on wire, 1510 bytes captured) Arrival Time: Dec 15, 2004 15:04:30.616574000 Time delta from previous packet: 0.158826000 seconds Time since reference or first frame: 8.672306000 seconds Frame Number: 14 Packet Length: 1510 bytes Capture Length: 1510 bytes Ethernet II, Src: 00:20:75:00:16:41, Dst: 00:09:6b:5f:32:59 Destination: 00:09:6b:5f:32:59 (Ibm_5f:32:59) Source: 00:20:75:00:16:41 (Motorola_00:16:41) Type: IP (0x0800) Internet Protocol, Src Addr: 145.9.199.126 (145.9.199.126), Dst Addr: 145.9.199.22 (145.9.199.22) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 1496 Identification: 0x237e (9086) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 60 Protocol: TCP (0x06) Header checksum: 0xa4fa (correct) Source: 145.9.199.126 (145.9.199.126) Destination: 145.9.199.22 (145.9.199.22) Transmission Control Protocol, Src Port: 20000 (20000), Dst Port: 1474 (1474), Seq: 51925456, Ack: 945725795, Len: 1456 Source port: 20000 (20000) Destination port: 1474 (1474) Sequence number: 51925456 Next sequence number: 51926912 Acknowledgement number: 945725795 Header length: 20 bytes Flags: 0x0018 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 4096 Checksum: 0x230a (correct) Distributed Network Protocol 3.0 Data Link Layer, Len: 255, From: 1000, To: 1, PRM, Unconfirmed User Data Start Bytes: 0x0564 Length: 255 Control: 0x44 (PRM, Unconfirmed User Data) 0... .... = Direction: Not set .1.. .... = Primary: Set ..0. .... = Frame Count Bit: Not set ...0 .... = Frame Count Valid: Not set .... 0100 = Control Function Code: Unconfirmed User Data (4) Destination: 1 Source: 1000 CRC: 0xe970 (correct) Transport Layer: 0x51 (FIR, Sequence 17) 0... .... = Final: Not set .1.. .... = First: Set ..01 0001 = Sequence: 17 Application data chunks Application Chunk 0 Len: 16 CRC 0x8965 Application Chunk 1 Len: 16 CRC 0xffff Application Chunk 2 Len: 16 CRC 0xffff Application Chunk 3 Len: 16 CRC 0xffff Application Chunk 4 Len: 16 CRC 0xffff Application Chunk 5 Len: 16 CRC 0xffff Application Chunk 6 Len: 16 CRC 0xffff Application Chunk 7 Len: 16 CRC 0xffff Application Chunk 8 Len: 16 CRC 0xffff Application Chunk 9 Len: 16 CRC 0xffff Application Chunk 10 Len: 16 CRC 0xffff Application Chunk 11 Len: 16 CRC 0xffff Application Chunk 12 Len: 16 CRC 0xffff Application Chunk 13 Len: 16 CRC 0xffff Application Chunk 14 Len: 16 CRC 0xffff Application Chunk 15 Len: 10 CRC 0xffff 0000 00 09 6b 5f 32 59 00 20 75 00 16 41 08 00 45 00 ..k_2Y. u..A..E. 0010 05 d8 23 7e 00 00 3c 06 a4 fa 91 09 c7 7e 91 09 ..#~..<......~.. 0020 c7 16 4e 20 05 c2 03 18 51 d0 38 5e a1 63 50 18 ..N ....Q.8^.cP. 0030 10 00 23 0a 00 00 05 64 ff 44 01 00 e8 03 70 e9 ..#....d.D....p. 0040 51 81 81 00 00 01 01 01 00 00 93 25 00 00 00 00 Q..........%.... 0050 65 89 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e............... 0060 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0070 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................ 0080 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 ................ 0090 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 ................ 00a0 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 ................ 00b0 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 ................ 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ................ 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00e0 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00f0 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0100 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................ 0110 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 ................ 0120 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 ................ 0130 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 ................ 0140 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 ................ 0150 00 00 00 00 00 00 00 00 ff ff 05 64 ff 44 01 00 ...........d.D.. 0160 e8 03 70 e9 12 00 00 00 00 00 00 00 00 00 00 00 ..p............. 0170 00 00 00 00 ba c4 00 00 00 00 00 00 00 00 00 00 ................ 0180 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 ................ 0190 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 ................ 01a0 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 ................ 01b0 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 ................ 01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ................ 01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01e0 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01f0 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0200 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................ 0210 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 ................ 0220 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 ................ 0230 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 ................ 0240 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 ................ 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ................ 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0270 ff ff 00 00 00 00 00 00 00 00 00 00 ff ff 05 64 ...............d 0280 ff 44 01 00 e8 03 70 e9 13 00 00 00 00 00 00 00 .D....p......... 0290 00 00 00 00 00 00 00 00 36 89 00 00 00 00 00 00 ........6....... 02a0 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 ................ 02b0 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 ................ 02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ................ 02d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 02e0 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 02f0 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0300 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................ 0310 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 ................ 0320 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 ................ 0330 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 ................ 0340 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 ................ 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ................ 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0370 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0380 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0390 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................ 03a0 ff ff 05 64 ff 44 01 00 e8 03 70 e9 14 00 00 00 ...d.D....p..... 03b0 00 00 00 00 00 00 00 00 00 00 00 00 eb 24 00 00 .............$.. 03c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ................ 03d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03e0 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03f0 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0400 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................ 0410 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 ................ 0420 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 ................ 0430 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 ................ 0440 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 ................ 0450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ................ 0460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0470 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0480 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0490 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................ 04a0 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 ................ 04b0 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 ................ 04c0 00 00 00 00 ff ff 05 64 ff 44 01 00 e8 03 70 e9 .......d.D....p. 04d0 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04e0 67 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 gi.............. 04f0 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0500 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................ 0510 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 ................ 0520 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 ................ 0530 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 ................ 0540 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 ................ 0550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ................ 0560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0570 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0580 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0590 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................ 05a0 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 ................ 05b0 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 ................ 05c0 00 00 00 00 00 14 06 00 00 95 06 36 00 00 00 00 ...........6.... 05d0 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 ................ 05e0 00 00 00 00 00 00 ...... _______________________________________________ Ethereal-users mailing list Ethereal-users@xxxxxxxxxxxx http://www.ethereal.com/mailman/listinfo/ethereal-users
- References:
- [Ethereal-users] Error in displaying DNP frames ethereal 0.10.7
- From: Zeev Yoram-BYZ008
- [Ethereal-users] Error in displaying DNP frames ethereal 0.10.7
- Prev by Date: Re: [Ethereal-users] ethereal_0_10_8
- Next by Date: Re: [Ethereal-users] pcap: File has 4294949296-byte packet, bigger than maximum of 65535
- Previous by thread: [Ethereal-users] Error in displaying DNP frames ethereal 0.10.7
- Next by thread: [Ethereal-users] How to add SNMP MIBS under Windows?
- Index(es):