Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 10230] New: erspan malformed data portion

Wireshark-bugs: [Wireshark-bugs] [Bug 10230] New: erspan malformed data portion

Date: Wed, 25 Jun 2014 14:36:52 +0000

Bug ID	10230
Summary	erspan malformed data portion
Classification	Unclassified
Product	Wireshark
Version	1.10.8
Hardware	x86-64
OS	Windows 7
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	[email protected]
Reporter	[email protected]

Created attachment 12849 [details]
pcap file of erspan data

Build Information:
Version 1.10.8 (v1.10.8-2-g52a5244 from master-1.10)

Copyright 1998-2014 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.14, with Cairo 1.10.2, with Pango 1.30.1, with
GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5, without POSIX capabilities,
without libnl, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without Python,
with GnuTLS 2.12.18, with Gcrypt 1.4.6, without Kerberos, with GeoIP, with
PortAudio V19-devel (built Jun 12 2014), with AirPcap.

Running on 64-bit Windows Server 2008R2 Service Pack 1, build 7601, with
WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version
1.0 branch 1_0_rel0b (20091008), GnuTLS 2.12.18, Gcrypt 1.4.6, without AirPcap.
Intel(R) Xeon(R) CPU           X5650  @ 2.67GHz, with 4095MB of physical
memory.


Built using Microsoft Visual C++ 10.0 build 40219
--
When viewing erspan packets in wireshark, I get malformed packets. The packet
are good, but wireshark is not interpreting the packet correct.

Packet is formed : EtherII - ip - gre - erspan - etherII - IP - ipdata The
first etherII has a trailer of 32 bytes, which is odd.
The ip headers have the correct 'total length', taking into account the extra
32 bytes of the (etherII-ip-gre-erspan) headers
The last ip header shows the correct length, the same as the original packet
before encapsulation.
But, the data portion of the last ip packet is calculated with 32 byte short

example:
an ICMP packet: the ipdata portion of the original ip packet 80 bytes total
length with 20bytes header, leaving 60 bytes for the icmp packet. Icmp has an 8
byte header, leaving 52 bytes of data, but wireshark reports 20 bytes, which is
32 bytes too short

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 10230] erspan malformed data portion
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10230] erspan malformed data portion
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10230] erspan malformed data portion
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10230] erspan malformed data portion
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 10169] Is VHT action frame - MIMO control and compressed beamforming feedback decode not supported ?
Next by Date: [Wireshark-bugs] [Bug 10230] erspan malformed data portion
Previous by thread: [Wireshark-bugs] [Bug 2190] Inconsistant VoIP "Graph Analysis" report generated for same trace file
Next by thread: [Wireshark-bugs] [Bug 10230] erspan malformed data portion
Index(es):
- Date
- Thread