Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 8572] New: Endian error and IP:Port error when decoding BT-DHT response messag

Wireshark-bugs: [Wireshark-bugs] [Bug 8572] New: Endian error and IP:Port error when decoding BT

Date: Tue, 09 Apr 2013 06:45:55 +0000

Bug ID	8572
Summary	Endian error and IP:Port error when decoding BT-DHT response message
Classification	Unclassified
Product	Wireshark
Version	1.8.6
Hardware	x86-64
OS	Windows 7
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	Wireshark
Assignee	[email protected]
Reporter	[email protected]

Created attachment 10569 [details]
the screenshot of bug and corresponding pcap file

Build Information:
wireshark 1.8.6 x86_64 on windows
--
Dear Sir,

The lastest wireshark version 1.8.6 stable made a wrong decode when processing
BT-DHT response message.

BT-DHT protocol details can be found here:
http://www.bittorrent.org/beps/bep_0005.html

When I use wireshark for analysing the captured data, I found that peers' IP
returned by BT-DHT response message are wrong.

I attached two files, one is the pcap file, another one is the screenshot of
wireshark. 

In screenshot, the selected packet is a response message sent from a remote
client to me. In this packet, the remote client sended two node sets, one
contains 8 nodes, another one contains 1 node.

There are 8 items in packet detail window, when these items are collapsed, it
shows like (1    3cad1f360cc51870d3e68d61ed604078bc608ee2 60.173.31.54:43365),
but this node's true ip and port is 99.192.73.131:26025. When we expand these
items, the ips and ports in detailed information are right.

With my analysis, I find that 
(1)Wrong ip is the first 4 bytes of node's id. For example, the above case
shows the wrong ip 60.173.31.54, it's 3cad1f36 in hex format, exactly the first
4 bytes of this node's id. It should be the 4 bytes right after node's id
(2)Wrong port is the little endian format of right port num. 43365 is A965 in
hex format, 26025 is 65A9 in hex format.In this case,it should be big endian.
(3)When decoding the second node set, wireshark has the right ip displayed, but
the port is wrong, the same problem as (2). In screenshot, wireshrk displays
the node's ip and port as 121.2.200.103:32880, it should be 121.2.200.103:28800

Anyway, wireshark is a great software and has done me a great favor, thanks for
all contributors.

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 8572] Endian error and IP:Port error when decoding BT-DHT response message
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8572] Endian error and IP:Port error when decoding BT-DHT response message
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8572] Endian error and IP:Port error when decoding BT-DHT response message
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8572] Endian error and IP:Port error when decoding BT-DHT response message
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8572] Endian error and IP:Port error when decoding BT-DHT response message
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8572] Endian error and IP:Port error when decoding BT-DHT response message
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8572] Endian error and IP:Port error when decoding BT-DHT response message
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 8569] Warnings for MCC MNC fields containing non-decimal digits
Next by Date: [Wireshark-bugs] [Bug 8570] LDAP dissector doesn't account for reuse of MessageID - ldap.time HORRIBLY incorrect
Previous by thread: [Wireshark-bugs] [Bug 8437] Windows PortableApps version of Wireshark tries to open .wireshark directory
Next by thread: [Wireshark-bugs] [Bug 8572] Endian error and IP:Port error when decoding BT-DHT response message
Index(es):
- Date
- Thread