Wireshark-bugs: [Wireshark-bugs] [Bug 7940] New: Reassembly of Cisco IKE fragments does not work

Date: Wed, 31 Oct 2012 04:38:36 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7940

           Summary: Reassembly of Cisco IKE fragments does not work as
                    expected.
           Product: Wireshark
           Version: SVN
          Platform: x86
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: Dissection engine (libwireshark)
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: msp@xxxxxx
                CC: jmayer@xxxxxxxxx


Created attachment 9457
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9457
Wireshark capture file

Build Information:
wireshark 1.9.0 (SVN Rev 45830 from /trunk)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.20.1, with Cairo 1.8.10, with Pango 1.28.0, with
GLib 2.24.1, with libpcap, with libz 1.2.3.3, with POSIX capabilities (Linux),
with libnl 3, without SMI, without c-ares, without ADNS, without Lua, without
Python, with GnuTLS 2.8.5, with Gcrypt 1.4.4, with MIT Kerberos, without GeoIP,
without PortAudio, without AirPcap.

Running on Linux 2.6.32-41-generic, with locale en_US.utf8, with libpcap
version
1.0.0, with libz 1.2.3.3, GnuTLS 2.8.5, Gcrypt 1.4.4.

Built using gcc 4.4.3.

--
PREFACE
=======

Actually, there are two bugs, but they are so closely related, that I decided
to post them as one, because the second bug prevented me from reporting the
first one: Because of bug II, bug I is not reproducable by simply loading a
wireshark capture file.

@jmayer: Since this feature was originally implemented by you in r22865
(2007-09-13), I added you to the CC list. Hope that's ok.


DESCRIPTION OF ERRORS
=====================

    (I)  During live capture, dissect_cisco_fragmentation() throws an exception
while trying to display the reassembled part of the first fragment.

    (II) After restarting wireshark with saved capture of the session, no
reassembly of fragments occurs at all.


Although ERROR (I) occurs only during live capture, there is a trick to enforce
this error post-mortem by changing the field type
of one of the column headers after loading the capture file.

More precisely, you can reproduce ERROR (II) and ERROR (I) by the following
steps


HOW TO REPRODUCE THE ERRORS
===========================

    * run wireshark -r capture.pcap
    * set 'isakmp' filter
    * observe ERROR (II): none of the IKE_AUTH messages are reassembled

    * select first IKE_AUTH message (Frame #21)
    * in the packet details window, open details for 'Internet Security
Association ... Protocol >  'Type Payload: Cisco-Fragmentation (132)'
    * observe screenshot1

    * change Field Type of one of the columns other than the Information:
      (for example, Right Click 'Destination' Header > Edit Column Details ... 
,  then choose new Field Type)

    * observe ERROR (I) as in screenshot2: Wireshark shows [Malformed Packet:
ISAKMP]

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.