Wireshark-bugs: [Wireshark-bugs] [Bug 6864] New: SIP/SDP/XML protocol saves incorrectly

Date: Thu, 23 Feb 2012 09:07:10 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6864

           Summary: SIP/SDP/XML protocol saves incorrectly
           Product: Wireshark
           Version: unspecified
          Platform: x86
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: jon.carmicheal@xxxxxxxxx


Build Information:
In Windows:
Version 1.6.1 (SVN Rev 38096 from /trunk-1.6)

Also tried: Version 1.0.10 01-30-2010-V1
and: Version 1.6.0 (SVN Rev 37592 from /trunk-1.6)
and: Version 1.7.1 (OneWireshark - 1.5 ESVN Rev 1130 from trunk) (proprietary)


And in Linux:
Version 1.4.6
--
Wireshark seems to have a bug when saving certain packet types.  Please see
below for a description of the scenario where Wireshark fails to save all of
the bytes in a packet.

When displaying a captured file with no filters, some of the packets show up
with a protocol SIP/SDP/XML.  If I filter (using the Filter box above the
packet list) on sip || sdp || xml (or just sip), then these packets are still
displayed in the Wireshark packet list with protocol SIP/SDP/XML.  I then go to
File->Save As and select "Displayed" for the packet range and save the file. 
Then I open the file that I just saved, but these packets that were SIP/SDP/XML
now have protocol as IPv4 and the Info changes to Fragmented IP Protocol
(proto=UDP 17, off=2640, ID=f546).  Other packets that were previously
displayed as SIP are saved correctly during this process.  It seems to only
fail on these SIP/SDP/XML packets.

I tried exporting the affected packet's bytes as text before and after saving
the capture file, and I see that Wireshark did not save the SIP portion of the
packet, but only the Frame, Ethernet II, and Internet Protocol Version 4
fields.  It did not correctly save the User Datagram Protocol or the Session
Initiation Protocol fields of the packet.

Before I filter and save the file, the exported packet contains:

Reassembled IPv4 (2323 bytes):

0000  13 c4 1a 0a 09 13 63 59 49 4e 56 49 54 45 20 73   ......cYINVITE s
0010  69 70 3a 38 31 33 32 35 39 31 33 32 36 40 66 61   ip:8132591326@fa
and a lot more.

After I filter and save file, the exported packet does not contain the
Reassembled IPv4 section.

Could this be a limitation in the size of packets that are saved in the method
I used?

Since I'm working with proprietary information in the capture files, I don't
know how many additional details I'll be able to provide, but please let me
know if you need more information to look into this.

Thanks!

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.