Wireshark-bugs: [Wireshark-bugs] [Bug 1503] New: SSLv2 record length and version shown wrong

Date: Fri, 30 Mar 2007 16:14:28 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1503

           Summary: SSLv2 record length and version shown wrong
           Product: Wireshark
           Version: 0.99.5
          Platform: Sun
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: vlada@xxxxxxxxxx


Build Information:
Version 0.99.6-SVN-20946

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.10.2, with GLib 2.12.2, with libpcap 0.9.4, with libz
1.2.3, with libpcre 4.5, with Net-SNMP 5.3.0.1, without ADNS, without Lua, with
GnuTLS 1.4.4, with Gcrypt 1.2.3, with MIT Kerberos, without PortAudio, without
AirPcap.

Running on SunOS 5.11, with libpcap version 0.9.4.

Built using Sun C 5.8

--
SSLv2 packet header is interpreted badly: if I click on 'Length' field in SSLv2
record wireshark will highlight 2 bytes in the 'Packet bytes' window but the
value of the Length field is ok.

In my case it is '80 7a'. The Length value is 122 (0x7a).

Also, what is missing is the 0x80 value being interpreted as SSLv2 handshake
(content_handshake_v2 = 128 = 0x80)

This is problem in the plugin/wireshark because tshark shows the following:

    SSLv2 Record Layer: Client Hello
        Length: 122
        Handshake Message Type: Client Hello (1)
        Version: TLS 1.0 (0x0301)
        Cipher Spec Length: 81
        Session ID Length: 0
        Challenge Length: 32
        Cipher Specs (27 specs)
            Cipher Spec: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x000016)
            Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
...


and the corresponding packet is:

        0x0000:  4500 00a4 4e54 4000 4006 331f 819d 124a  E...NT@[email protected]
        0x0010:  8192 a367 8e39 01bb 7688 4d3a 21f8 57a7  ...g.9..v.M:!.W.
        0x0020:  5018 c1e8 7245 0000 807a 0103 0100 5100  P...rE...z....Q.
                                     ^^^^
        0x0030:  0000 2000 0016 0000 1300 000a 0700 c003  ................
        0x0040:  0080 0000 6600 0005 0000 0401 0080 0800  ....f...........
        0x0050:  8000 0063 0000 6200 0061 0000 1500 0012  ...c..b..a......
        0x0060:  0000 0906 0040 0000 6500 0064 0000 6000  [email protected]..`.
        0x0070:  0014 0000 1100 0008 0000 0604 0080 0000  ................
        0x0080:  0302 0080 1277 5a85 d9d6 df1a 6280 359f  .....wZ.....b.5.
        0x0090:  e1e8 38ff d1d2 08ad b314 3fda 32bb d102  ..8.......?.2...
        0x00a0:  f90c 2f6f


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.