https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7283
Summary: SNMPv3 EngineID decode error
Product: Wireshark
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Low
Component: Wireshark
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: songhao@xxxxxxx
Created attachment 8485
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8485
picture in wireshark
Build Information:
>From source: wireshark-1.7.1.tar.bz2
--
I think it is a bug that if an enterprise uses 128 as the fifth octet while the
very first bit is set 1, the WireShark shows <Data not Conforming to RFC3411>.
the EngineID is defined in RFC3411 as follow:
SnmpEngineID ::= TEXTUAL-CONVENTION
......
3) The length of the octet string varies.
......
The fifth octet indicates how the rest (6th and
following octets) are formatted. The values for
the fifth octet are:
......
128-255 - as defined by the enterprise
Maximum remaining length 27
If the fifth octet uses 128-255, it indicates that follow enterprise encode,
but I found there is a bug in the source code.
I download the source of V1.7.1, but I think it could be in all version of
WireShark.
/* In function dissect_snmp_engineid
asn1\snmp\packet-snmp-template.c
epan\dissectors\packet-snmp.c */
switch(format) {
......
case 128:
/* most common enterprise-specific format: (ucd|net)-snmp random */
if ((enterpriseid==2021)||(enterpriseid==8072)) {
proto_item_append_text(item, (enterpriseid==2021) ? ": UCD-SNMP Random" :
": Net-SNMP Random");
/* demystify: 4B random, 4B epoch seconds */
if (len_remain==8) {
proto_tree_add_item(tree, hf_snmp_engineid_data, tvb, offset, 4,
ENC_NA);
seconds = tvb_get_letohl(tvb, offset+4);
ts.secs = seconds;
ts.nsecs = 0;
proto_tree_add_time_format_value(tree, hf_snmp_engineid_time, tvb,
offset+4, 4,
&ts, "%s",
abs_time_secs_to_str(seconds, ABSOLUTE_TIME_LOCAL,
TRUE));
offset+=8;
len_remain=0;
}
}
break;
case SNMP_ENGINEID_FORMAT_OCTETS:
default:
/* max. 27 bytes, administratively assigned or unknown format */
if (len_remain<=27) {
proto_tree_add_item(tree, hf_snmp_engineid_data, tvb, offset, len_remain,
ENC_NA);
offset+=len_remain;
len_remain=0;
}
break;
}
}
if (len_remain>0) {
proto_tree_add_text(tree, tvb, offset, len_remain, "<Data not conforming
to RFC3411>");
offset+=len_remain;
}
This code think 128 is just for UCD-SNMP and Net-SNMP and the follow octets
must encode as their rules.
May be it is better to write as:
/* case 128: */ /* move case 128 to the default branch */
case SNMP_ENGINEID_FORMAT_OCTETS:
default:
if (format == 128) {
/* most common enterprise-specific format: (ucd|net)-snmp random */
if ((enterpriseid==2021)||(enterpriseid==8072)) {
proto_item_append_text(item, (enterpriseid==2021) ? ": UCD-SNMP Random"
: ": Net-SNMP Random");
/* demystify: 4B random, 4B epoch seconds */
if (len_remain==8) {
proto_tree_add_item(tree, hf_snmp_engineid_data, tvb, offset, 4,
ENC_NA);
seconds = tvb_get_letohl(tvb, offset+4);
ts.secs = seconds;
ts.nsecs = 0;
proto_tree_add_time_format_value(tree, hf_snmp_engineid_time, tvb,
offset+4, 4,
&ts, "%s",
abs_time_secs_to_str(seconds, ABSOLUTE_TIME_LOCAL,
TRUE));
offset+=8;
len_remain=0;
}
}
}
else
{
/* max. 27 bytes, administratively assigned or unknown format */
if (len_remain<=27) {
proto_tree_add_item(tree, hf_snmp_engineid_data, tvb, offset,
len_remain, ENC_NA);
offset+=len_remain;
len_remain=0;
}
}
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.