https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5991
Summary: Dissector created by LUA does not dissect IP traffic
properly when the capture is truncated
Product: Wireshark
Version: 1.6.0
Platform: x86
OS/Version: Windows 7
Status: NEW
Severity: Major
Priority: Low
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: migangel@xxxxxxxxx
Created an attachment (id=6451)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=6451)
Sample capture of IP traffic using my encapsulation protocol as defined in
mydissector.lua
Build Information:
Version 1.6.0rc2 (SVN Rev 37523 from /trunk-1.6)
--
I have created a simple LUA dissector based in the documentation example. The
protocol adds 1 byte to the captured IP raw data, and my dissector reads that
byte and calls the IP dissector with the remaining data. This is the LUA code:
----------------------------
do
-- Configure Dissector
-- We will use the User USER0 link
--
local my_proto = Proto("myproto","My Encapsulation Protocol");
local vs_protos = {
[0] = "Unknown",
[1] = "Ethernet",
[4] = "IP Version 4",
[6] = "IP Version 6",
[9] = "PPP",
-- add new channels here
}
local vs_directions = {
[0] = "Up",
[1] = "Down"
}
local f_channel = ProtoField.uint8("myprot.channel","Channel"
,base.DEC,vs_protos,0x7F)
local f_direction =
ProtoField.uint8("myprot.direction","Direction",base.DEC,vs_directions,0x80);
my_proto.fields = {f_channel,f_direction}
local data_dis = Dissector.get("data")
local protos = {
[0] = Dissector.get("data"),
[1] = Dissector.get("eth"),
[4] = Dissector.get("ip"),
[6] = Dissector.get("ipv6"),
[9] = Dissector.get("ppp"),
}
function my_proto.dissector(buf,pkt,root)
local t = root:add(my_proto,buf(0,1)) -- Just one byte for our protocol
t:add(f_channel,buf(0,1))
t:add(f_direction,buf(0,1))
local proto_id = buf(0,1):uint()
if(proto_id > 127) then
proto_id = proto_id - 128
end
local dissector = protos[proto_id]
if dissector ~= nil then
dissector:call(buf(1):tvb(),pkt,root)
else
data_dis:call(buf,pkt,root)
end
end
local wtap_encap_table = DissectorTable.get("wtap_encap")
wtap_encap_table:add(wtap.USER0,my_proto)
end
----------------------------
If the captured IP traffic is complete, everything works as expected, all data
is dissected properly.
The problem occurs when the IP traffic is truncated, for example if only IP and
TCP/UDP headers are captured to reduce the .pcap file. The UDP dissector
produce this error:
Expert Info (Error/Malformed): Bad length value 51 > IP payload length
The TCP dissector does not produce any error, but it believes the payload is
less than it should be and the ack and seq numbers get out of sync.
I have attached a sample capture using the encapsulation protocol as expected
by the above LUA code.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.