https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5743
Summary: tshark incorrectly calculates tcp stream for some syn
packets
Product: Wireshark
Version: 1.5.x (Experimental)
Platform: x86-64
OS/Version: Ubuntu
Status: NEW
Severity: Normal
Priority: Low
Component: TShark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: stefan.demharter@xxxxxxx
Created an attachment (id=6004)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=6004)
A reduced tcp dump containing just some syn and syn-ack packets to demonstrate
the problem.
Build Information:
TShark 1.5.0 (SVN Rev Unknown from unknown)
Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.26.1, with libpcap 1.1.1, with libz 1.2.3.4, with
POSIX capabilities (Linux), without libpcre, without SMI, without c-ares,
without ADNS, without Lua, without Python, without GnuTLS, without Gcrypt, with
MIT Kerberos, without GeoIP.
Running on Linux 2.6.35-27-generic, with libpcap version 1.1.1, with libz
1.2.3.4.
Built using gcc 4.4.5.
--
Tshark incorrectly assign a tcp-syn-packet to a previous tcp-stream if both
streams have the same source and destination.
I've tested this with the ubuntu packaged version 1.2.11, version 1.4.4 from
ppa and self-compiled version 1.5. All tested versions show the same behaviour.
The following shows a tshark command with its result to demonstrate this (Have
a look at packet 6):
tshark -n -r test.cap -e frame.number -e tcp.stream -e tcp.flags -e ip.src -e
tcp.srcport -e ip.dst -e tcp.dstport -T fields
1 0 0x02 10.1.73.43 33622 10.1.91.89 2001
2 0 0x12 10.1.91.89 2001 10.1.73.43 33622
3 1 0x02 10.1.73.43 50945 10.1.91.89 2001
4 1 0x02 10.1.73.43 50945 10.1.91.89 2001
5 1 0x12 10.1.91.89 2001 10.1.73.43 50945
6 0 0x02 10.1.73.43 33622 10.1.91.89 2001
7 2 0x12 10.1.91.89 2001 10.1.73.43 33622
Description of each packet:
1: SYN of stream 0 - ok
2: SYN-ACK of stream 0 - ok
3: SYN of stream 1 - ok
4: SYN-Retransmission of stream 1 -ok
5: SYN-ACK of stream 1 -ok
6: SYN of stream 2 - NOT OK: incorrectly identified as belonging to stream 0
(Has the same src and dst as stream 0)
7: SYN-ACK of stream 2 - ok
If you however open this file with wireshark, you can see that packet 6 has the
correct stream idx of 2. So, wireshark doesn't have problem.
Regards
Stefan
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.