http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1226
Summary: WireShark displays DCE RPC fragment acknowledgements
(FACK) without a body as malformed
Product: Wireshark
Version: 0.99.4
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: Minor
Priority: Low
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: benja@xxxxxxxx
Build Information:
Version 0.99.4 (SVN Rev 19757)
Copyright 1998-2006 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.6.9, with GLib 2.6.6, with WinPcap (version unknown), with
libz 1.2.3, with libpcre 6.4, with Net-SNMP 5.3.1, with ADNS, with Lua 5.1,
with
GnuTLS 1.5.1, with Gcrypt 1.2.3, with MIT Kerberos, with PortAudio <= V18, with
AirPcap.
Running on Windows XP Service Pack 2, build 2600, with WinPcap version 3.1
(packet.dll version 3, 1, 0, 27), based on libpcap version 0.9[.x], without
AirPcap.
Built using Microsoft Visual C++ 6.0 build 8804
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
WireShark marks DCE RPC FACKs as "malformed" if they do not have a body.
According to DCE RPC Spec. 1.1 FACKs "may contain" a body PTU.
I am unable to build WireShark (lack of time to install all neccessary stuff)
but I looked at the SourceCode. I think, at least this has to be fixed:
file: epan/dissectors/packet-dcerpc.c
function: static gboolean dissect_dcerpc_dg (tvbuff_t *tvb, packet_info *pinfo,
proto_tree *tree)
*snip*
case PDU_FACK
dissect_dcerpc_dg_fack (tvb, offset, pinfo, dcerpc_tree, &hdr);
break;
*snap*
I guess, it should look like "case PDU_NOCALL:" directly above.
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.