https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3755
Summary: NDMP defragmentation fails for default false TCP "Try
heuristic sub-dissector first"
Product: Wireshark
Version: SVN
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Low
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: wmeier@xxxxxxxxxxx
Build Information:
SVN ....
--
NDMP defragmentation fails for default false TCP "Try heuristic sub-dissector
first".
IOW: ndmp fragmentation will not work correctly for "out-of-the-box"
Wireshark).
See the second capture attached to bug #3395: "Example capture 2".
Frame 12 and others following show as "ESP" if TCP "Try heuristic as ..." is
false.
If the "Try heuristic ..." is set to true then the frames are correctly
de-fragmented as NDMP.
The reason:
There's a port conflict (TCP port 10000) between packet-ipsec-tcp and
packet-ndmp.
packet-ipsec-tcp tries to avoid the conflict by first checking if the frame is
an ndmp frame before trying to dissect as "ESP".
This doesn't work if the frame (fragment ?) is a non-initial ndmp fragment.
Maybe someone really familiar with the innards of defragmentation can suggest a
good way to solve this ....
Or:
Disable by "ESP" by default ?
Register ESP only for "decode-as" ?
(especially given the comment in the source
/* oh what a ... protocol.
there is nothing in the protocol that makes it easy to identify and then
worse is that by default it is using port 10000 which ndmp has been
using for ages.
).
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.