Wireshark-bugs: [Wireshark-bugs] [Bug 9552] New: Support Novell SPXII packet dissection
Date: Thu, 12 Dec 2013 09:15:07 +0000
Bug ID | 9552 |
---|---|
Summary | Support Novell SPXII packet dissection |
Classification | Unclassified |
Product | Wireshark |
Version | SVN |
Hardware | x86 |
OS | All |
Status | UNCONFIRMED |
Severity | Enhancement |
Priority | Low |
Component | Dissection engine (libwireshark) |
Assignee | [email protected] |
Reporter | [email protected] |
Created attachment 12292 [details] Example SPXII packet capture Build Information: Version 1.11.3-SVN-53936 (SVN Rev 53936 from /trunk) Copyright 1998-2013 Gerald Combs <[email protected]> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with GTK+ 2.24.14, with Cairo 1.10.2, with Pango 1.30.1, with GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6, without Kerberos, with GeoIP, with PortAudio V19-devel (built Dec 11 2013), with AirPcap. Running on 64-bit Windows Server 2008 R2 Service Pack 1, build 7601, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), GnuTLS 2.12.18, Gcrypt 1.4.6, without AirPcap. Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz, with 16373MB of physical memory. Built using Microsoft Visual C++ 10.0 build 40219 Wireshark is Open Source Software released under the GNU General Public License. Check the man page and http://www.wireshark.org for more information. -- Currently, WireShark can only decode Novell SPX packets, not SPXII (SPX 2, etc). The differences are somewhat minor, but the basic changes are: 1. Addition of four additional flag bits in the "Connection Control" field. LSB to MSB, these four new bits are: a. SPXII Packet (Mask 0x08) b. Negotiate Size (Mask 0x04) c. Reserved (Mask 0x02) d. Extended Header (Mask 0x01) Only "SPXII Packet" and "Negotiate Size" matter -- I am not sure about the origin of the last two, especially the extended header one. I can find NO documentation on it, so I assume Novell was planning for something and dropped it once TCP/IP took over. 2. Addition of the "Negotiated Size" field, which exists on ALL SPXII packets EXCEPT the first packet of the session. The first packet can be determined by checking the destination ID field for a value of 0xffff (65535) and that the SPXII bit is set in Connection Control. I don't know much more beyond that, but this gets the basics of parsing the packet format down. I think Novell borrowed some ideas from TCP, as the negotiated size field is a type of window scaling capability. SPXII also removed the 576 byte limitation on payload size, so SPXII payloads can go up to the MTU. To actually generate sample SPXII traffic, the following will be needed: 1. NetWare 4.x server, patched appropriately. 2. The example file XTLI1.exe from Novell TID #100367 (not sure if this is still available, I can provide if necessary). 3. A Windows 95/98/Me/2k client running the latest Novell Client software over IPX. To generate the traffic: 1. Load SPXS.NLM at the server console. 2. Place FILETX.NLM in SYS:\SYSTEM. 3. At the server console LOAD SYS:\FILETX.NLM ${SERVER_NAME} ${PATH_TO_FILE} 4. On the client, place FILERX.EXE in a folder. 5. Open a command.com/cmd.exe shell and CD to the folder. 6. Run FILERX.EXE ${SERVER_NAME} > ${OUTPUT_FILE}. 7. Press Ctrl+C on the server while switched to the FILETX console screen. 8. Switch back to the primary console and down the server. XTLI1 is an example program only, and it doesn't gracefully exit, so it may cause additional problems if its console screen remains open. Run in a test environment only! Make sure to capture in the background if running in a VM or dump all network traffic to a trace file. I have attached a LUA script I wrote that adds mediocre parsing of SPXII to WireShark, however, I cannot get the output formatted into hexadecimal correctly, nor can I get the Negotiated Size field to appear. I am no Lua expert, but the script should provide a basic example of what I'd expect WireShark to do with SPXII traffic. I have also included a session of example SPXII traffic using the above steps and transferring a large text file generated form the Lorem Ipsum website. Lastly, here are some references on this protocol: Novell Network Transport Services 4.1 for AIX (refer to Chapter 4): http://ps-2.kev009.com/basil.holloway/ALL%20PDF/TRANSPORTS.pdf NetWare IPX Protocol Reference (Slide 7): http://www.infrax.com/fr/network_protocols/netware_ipx_protocol_reference.pdf Some unknown packet parser module for SPX/SPXII: https://nmparsers.svn.codeplex.com/svn/Develop_Branch/NPL/common/spx.npl
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 9552] Support Novell SPXII packet dissection
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9552] Support Novell SPXII packet dissection
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9552] Support Novell SPXII packet dissection
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9552] Support Novell SPXII packet dissection
- Prev by Date: [Wireshark-bugs] [Bug 9471] ANSI A-interface enhancement for showing mobile ID and service option on INFO line.
- Next by Date: [Wireshark-bugs] [Bug 9552] Support Novell SPXII packet dissection
- Previous by thread: [Wireshark-bugs] [Bug 9551] [PATCH] Dissect SCSI XCOPY and RECEIVE COPY Parameters commands
- Next by thread: [Wireshark-bugs] [Bug 9552] Support Novell SPXII packet dissection
- Index(es):