Wireshark-bugs: [Wireshark-bugs] [Bug 3755] New: NDMP defragmentation fails for default false TC

Date: Fri, 17 Jul 2009 11:19:46 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3755

           Summary: NDMP defragmentation fails for default false TCP "Try
                    heuristic sub-dissector first"
           Product: Wireshark
           Version: SVN
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: wmeier@xxxxxxxxxxx


Build Information:
SVN ....
--
NDMP defragmentation fails for default false TCP "Try heuristic sub-dissector
first".

IOW: ndmp fragmentation will not work correctly for "out-of-the-box"
Wireshark). 

See the second capture attached to bug #3395: "Example capture 2".

Frame 12 and others following show as "ESP" if TCP "Try heuristic as ..." is
false.

If the "Try heuristic ..." is set to true then the frames are correctly
de-fragmented as NDMP.

The reason: 

There's a port conflict (TCP port 10000) between packet-ipsec-tcp and
packet-ndmp.

packet-ipsec-tcp tries to avoid the conflict by first checking if the frame is
an ndmp frame before trying to dissect as "ESP".

This doesn't work if the frame (fragment ?) is a non-initial  ndmp fragment.

Maybe someone really familiar with the innards of defragmentation can suggest a
good way to solve this ....

Or: 

Disable by "ESP" by default ?
Register ESP only for "decode-as" ?

(especially given the comment in the source
/* oh what a ... protocol.
   there is nothing in the protocol that makes it easy to identify and then
   worse   is that by default it is using port 10000 which ndmp has been
   using for ages.

).


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.