Wireshark-bugs: [Wireshark-bugs] [Bug 9552] New: Support Novell SPXII packet dissection

Date: Thu, 12 Dec 2013 09:15:07 +0000
Bug ID 9552
Summary Support Novell SPXII packet dissection
Classification Unclassified
Product Wireshark
Version SVN
Hardware x86
OS All
Status UNCONFIRMED
Severity Enhancement
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 12292 [details]
Example SPXII packet capture

Build Information:
Version 1.11.3-SVN-53936 (SVN Rev 53936 from /trunk)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.14, with Cairo 1.10.2, with Pango 1.30.1, with
GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5, with SMI 0.4.8, with c-ares
1.9.1, with Lua 5.1, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6,
without Kerberos, with GeoIP, with PortAudio V19-devel (built Dec 11 2013),
with
AirPcap.

Running on 64-bit Windows Server 2008 R2 Service Pack 1, build 7601, with
WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version
1.0 branch 1_0_rel0b (20091008), GnuTLS 2.12.18, Gcrypt 1.4.6, without AirPcap.
Intel(R) Core(TM) i7 CPU         960  @ 3.20GHz, with 16373MB of physical
memory.


Built using Microsoft Visual C++ 10.0 build 40219

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
Currently, WireShark can only decode Novell SPX packets, not SPXII (SPX 2,
etc).  The differences are somewhat minor, but the basic changes are:

1. Addition of four additional flag bits in the "Connection Control" field. 
LSB to MSB, these four new bits are:
a. SPXII Packet (Mask 0x08)
b. Negotiate Size (Mask 0x04)
c. Reserved (Mask 0x02)
d. Extended Header (Mask 0x01)

Only "SPXII Packet" and "Negotiate Size" matter -- I am not sure about the
origin of the last two, especially the extended header one.  I can find NO
documentation on it, so I assume Novell was planning for something and dropped
it once TCP/IP took over.

2. Addition of the "Negotiated Size" field, which exists on ALL SPXII packets
EXCEPT the first packet of the session.  The first packet can be determined by
checking the destination ID field for a value of 0xffff (65535) and that the
SPXII bit is set in Connection Control.

I don't know much more beyond that, but this gets the basics of parsing the
packet format down.  I think Novell borrowed some ideas from TCP, as the
negotiated size field is a type of window scaling capability.  SPXII also
removed the 576 byte limitation on payload size, so SPXII payloads can go up to
the MTU.

To actually generate sample SPXII traffic, the following will be needed:
1. NetWare 4.x server, patched appropriately.
2. The example file XTLI1.exe from Novell TID #100367 (not sure if this is
still available, I can provide if necessary).
3. A Windows 95/98/Me/2k client running the latest Novell Client software over
IPX.

To generate the traffic:
1. Load SPXS.NLM at the server console.
2. Place FILETX.NLM in SYS:\SYSTEM.
3. At the server console LOAD SYS:\FILETX.NLM ${SERVER_NAME} ${PATH_TO_FILE}
4. On the client, place FILERX.EXE in a folder.
5. Open a command.com/cmd.exe shell and CD to the folder.
6. Run FILERX.EXE ${SERVER_NAME} > ${OUTPUT_FILE}.
7. Press Ctrl+C on the server while switched to the FILETX console screen.
8. Switch back to the primary console and down the server.  XTLI1 is an example
program only, and it doesn't gracefully exit, so it may cause additional
problems if its console screen remains open.  Run in a test environment only!

Make sure to capture in the background if running in a VM or dump all network
traffic to a trace file.

I have attached a LUA script I wrote that adds mediocre parsing of SPXII to
WireShark, however, I cannot get the output formatted into hexadecimal
correctly, nor can I get the Negotiated Size field to appear.  I am no Lua
expert, but the script should provide a basic example of what I'd expect
WireShark to do with SPXII traffic.

I have also included a session of example SPXII traffic using the above steps
and transferring a large text file generated form the Lorem Ipsum website.


Lastly, here are some references on this protocol:

Novell Network Transport Services 4.1 for AIX (refer to Chapter 4):
http://ps-2.kev009.com/basil.holloway/ALL%20PDF/TRANSPORTS.pdf

NetWare IPX Protocol Reference (Slide 7):
http://www.infrax.com/fr/network_protocols/netware_ipx_protocol_reference.pdf

Some unknown packet parser module for SPX/SPXII:
https://nmparsers.svn.codeplex.com/svn/Develop_Branch/NPL/common/spx.npl


You are receiving this mail because:
  • You are watching all bug changes.