https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6864
Summary: SIP/SDP/XML protocol saves incorrectly
Product: Wireshark
Version: unspecified
Platform: x86
OS/Version: All
Status: NEW
Severity: Major
Priority: Low
Component: Wireshark
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: jon.carmicheal@xxxxxxxxx
Build Information:
In Windows:
Version 1.6.1 (SVN Rev 38096 from /trunk-1.6)
Also tried: Version 1.0.10 01-30-2010-V1
and: Version 1.6.0 (SVN Rev 37592 from /trunk-1.6)
and: Version 1.7.1 (OneWireshark - 1.5 ESVN Rev 1130 from trunk) (proprietary)
And in Linux:
Version 1.4.6
--
Wireshark seems to have a bug when saving certain packet types. Please see
below for a description of the scenario where Wireshark fails to save all of
the bytes in a packet.
When displaying a captured file with no filters, some of the packets show up
with a protocol SIP/SDP/XML. If I filter (using the Filter box above the
packet list) on sip || sdp || xml (or just sip), then these packets are still
displayed in the Wireshark packet list with protocol SIP/SDP/XML. I then go to
File->Save As and select "Displayed" for the packet range and save the file.
Then I open the file that I just saved, but these packets that were SIP/SDP/XML
now have protocol as IPv4 and the Info changes to Fragmented IP Protocol
(proto=UDP 17, off=2640, ID=f546). Other packets that were previously
displayed as SIP are saved correctly during this process. It seems to only
fail on these SIP/SDP/XML packets.
I tried exporting the affected packet's bytes as text before and after saving
the capture file, and I see that Wireshark did not save the SIP portion of the
packet, but only the Frame, Ethernet II, and Internet Protocol Version 4
fields. It did not correctly save the User Datagram Protocol or the Session
Initiation Protocol fields of the packet.
Before I filter and save the file, the exported packet contains:
Reassembled IPv4 (2323 bytes):
0000 13 c4 1a 0a 09 13 63 59 49 4e 56 49 54 45 20 73 ......cYINVITE s
0010 69 70 3a 38 31 33 32 35 39 31 33 32 36 40 66 61 ip:8132591326@fa
and a lot more.
After I filter and save file, the exported packet does not contain the
Reassembled IPv4 section.
Could this be a limitation in the size of packets that are saved in the method
I used?
Since I'm working with proprietary information in the capture files, I don't
know how many additional details I'll be able to provide, but please let me
know if you need more information to look into this.
Thanks!
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.