Wireshark-bugs: [Wireshark-bugs] [Bug 10779] New: Error in decode: BGP Update Message "Malformed

Date: Mon, 15 Dec 2014 19:12:51 +0000
Bug ID 10779
Summary Error in decode: BGP Update Message "Malformed Packet"
Product Wireshark
Version 1.12.1
Hardware x86
OS Windows Server 2008 R2
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Build Information:
Version 1.12.1 (v1.12.1-0-g01b65bf from master-1.12)

Copyright 1998-2014 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.10.2, with Pango 1.34.0, with
GLib 2.38.0, with WinPcap (4_1_3), with libz 1.2.5, with SMI 0.4.8, with c-ares
1.9.1, with Lua 5.2, without Python, with GnuTLS 3.1.22, with Gcrypt 1.6.0,
without Kerberos, with GeoIP, with PortAudio V19-devel (built Sep 16 2014),
with
AirPcap.

Running on 64-bit Windows Server 2008 Service Pack 2, build 6002, with WinPcap
version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0
branch 1_0_rel0b (20091008), GnuTLS 3.1.22, Gcrypt 1.6.0, without AirPcap.
      Intel(R) Core(TM) i7-3840QM CPU @ 2.80GHz, with 4094MB of physical
memory.


Built using Microsoft Visual C++ 10.0 build 40219

--
Decode of a BGP session results in nearly all update packets flagged as
malformed. Also NLRI (e.g. 91.220.91.0/24, for the first update) is missing
from the decode in most cases.

tcpdump 4.3.0 on my laptop is able to decode the trace with no apparent errors:
tcpdump version 4.3.0 -- Apple version 59
libpcap version 1.5.3 - Apple version 47

For the first packet, tcpdump shows:
12:13:32.158452 IP (tos 0xe0, ttl 252, id 15184, offset 0, flags [DF], proto
TCP (6), length 596)
    user-24-96-153-224.knology.net.bgp > 10.98.215.12.31235: Flags [P.], cksum
0xa694 (correct), seq 3092138782:3092139326, ack 3519486154, win 16384, options
[nop,nop,TS val 2015578667 ecr 2503446345], length 544: BGP, length: 544
        Update Message (2), length: 143
          Origin (1), length: 1, Flags [T]: IGP
          AS Path (2), length: 16, Flags [T]: 3257 12883 6703 23456 23456 23456
23456 
          AS4 Path (17), length: 30, Flags [OT]: 3257 12883 6703 3.750 3.750
3.750 3.750 
          Next Hop (3), length: 4, Flags [T]: xe-10-1-1.chi11.ip4.gtt.net
          Multi Exit Discriminator (4), length: 4, Flags [O]: 1234
          Local Preference (5), length: 4, Flags [T]: 100
          Community (8), length: 36, Flags [OT]: 3257:4000, 3257:8092,
3257:50001, 3257:50111, 3257:54800, 3257:54801, 12083:6016, 12083:7014,
12083:65100
          Updated routes:
            91.220.91.0/24
        Update Message (2), length: 155
          Origin (1), length: 1, Flags [T]: IGP
          AS Path (2), length: 16, Flags [T]: 3356 12883 6703 23456 23456 23456
23456 
          AS4 Path (17), length: 30, Flags [OT]: 3356 12883 6703 3.750 3.750
3.750 3.750 
          Next Hop (3), length: 4, Flags [T]:
xe-7-2-0.edge4.chicago3.level3.net
          Multi Exit Discriminator (4), length: 4, Flags [O]: 0
          Local Preference (5), length: 4, Flags [T]: 100
          Community (8), length: 48, Flags [OT]: 3356:2, 3356:22, 3356:100,
3356:123, 3356:513, 3356:2084, 12083:6016, 12083:7001, 12083:65100, 12883:1,
12883:109, 12883:11044
          Updated routes:
            91.220.91.0/24
        Update Message (2), length: 134
          Origin (1), length: 1, Flags [T]: IGP
          AS Path (2), length: 10, Flags [T]: 3356 9498 9730 58678 
          Next Hop (3), length: 4, Flags [T]:
xe-9-3-0.bar1.cleveland1.level3.net
          Multi Exit Discriminator (4), length: 4, Flags [O]: 0
          Local Preference (5), length: 4, Flags [T]: 100
          Community (8), length: 48, Flags [OT]: 3356:3, 3356:22, 3356:100,
3356:123, 3356:575, 3356:2003, 3356:11032, 12083:6022, 12083:7001, 12083:65100,
64980:0, 65000:0
          Originator ID (9), length: 4, Flags [O]: 76-73-168-1.knology.net
          Cluster List (10), length: 8, Flags [O]: 10.0.0.7, 10.0.0.4
          Updated routes:
            103.226.4.0/24
        Update Message (2), length: 112
          Origin (1), length: 1, Flags [T]: IGP
          AS Path (2), length: 10, Flags [T]: 3356 9498 9730 58678 
          Next Hop (3), length: 4, Flags [T]:
xe-7-2-0.edge4.chicago3.level3.net
          Multi Exit Discriminator (4), length: 4, Flags [O]: 0
          Local Preference (5), length: 4, Flags [T]: 100
          Community (8), length: 44, Flags [OT]: 3356:3, 3356:22, 3356:100,
3356:123, 3356:575, 3356:2003, 12083:6016, 12083:7001, 12083:65100, 64980:0,
65000:0
          Updated routes:
            103.226.4.0/24


While tshark shows:
Frame 1: 610 bytes on wire (4880 bits), 610 bytes captured (4880 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Dec 15, 2014 12:13:32.158452000 EST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1418663612.158452000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 610 bytes (4880 bits)
    Capture Length: 610 bytes (4880 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:bgp]
Ethernet II, Src: Vmware_01:04:f9 (00:50:56:01:04:f9), Dst: Vmware_01:04:bd
(00:50:56:01:04:bd)
    Destination: Vmware_01:04:bd (00:50:56:01:04:bd)
        Address: Vmware_01:04:bd (00:50:56:01:04:bd)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Vmware_01:04:f9 (00:50:56:01:04:f9)
        Address: Vmware_01:04:f9 (00:50:56:01:04:f9)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 24.96.153.224 (24.96.153.224), Dst:
10.98.215.12 (10.98.215.12)
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes
    Differentiated Services Field: 0xe0 (DSCP 0x38: Class Selector 7; ECN:
0x00: Not-ECT (Not ECN-Capable Transport))
        1110 00.. = Differentiated Services Codepoint: Class Selector 7 (0x38)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable
Transport) (0x00)
    Total Length: 596
    Identification: 0x3b50 (15184)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 252
    Protocol: TCP (6)
    Header checksum: 0xacc4 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 24.96.153.224 (24.96.153.224)
    Destination: 10.98.215.12 (10.98.215.12)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 179 (179), Dst Port: 31235 (31235),
Seq: 1, Ack: 1, Len: 544
    Source Port: 179 (179)
    Destination Port: 31235 (31235)
    [Stream index: 0]
    [TCP Segment Len: 544]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 545    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    Header Length: 32 bytes
    .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 16384
    [Calculated window size: 16384]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0xa694 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Urgent pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 2015578667, TSecr 2503446345
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 2015578667
            Timestamp echo reply: 2503446345
    [SEQ/ACK analysis]
        [Bytes in flight: 544]
Border Gateway Protocol - UPDATE Message
    Marker: ffffffffffffffffffffffffffffffff
    Length: 143
    Type: UPDATE Message (2)
    Withdrawn Routes Length: 0
    Total Path Attribute Length: 116
    Path attributes
        Path Attribut - ORIGIN: IGP
            Flags: 0x40, Transitive: Well-known, Transitive, Complete
                0... .... = Optional: Well-known
                .1.. .... = Transitive: Transitive
                ..0. .... = Partial: Complete
                ...0 .... = Length: Regular length
            Type Code: ORIGIN (1)
            Length: 1
            Origin: IGP (0)
        Path Attribut - AS_PATH: 3257 12883 6703 23456 23456 23456 23456 
            Flags: 0x40, Transitive: Well-known, Transitive, Complete
                0... .... = Optional: Well-known
                .1.. .... = Transitive: Transitive
                ..0. .... = Partial: Complete
                ...0 .... = Length: Regular length
            Type Code: AS_PATH (2)
            Length: 16
            AS Path segment: 3257 12883 6703 23456 23456 23456 23456
                Segment type: AS_SEQUENCE (2)
                Segment length (number of ASN): 7
                AS2: 3257
                AS2: 12883
                AS2: 6703
                AS2: 23456
                AS2: 23456
                AS2: 23456
                AS2: 23456
        Path Attribut - AS4_PATH: 3257 12883 6703 197358 197358 197358 197358
72172365 1837106180 1234 67108864 1690306596 213454752 213458844 213500753
3284077753 3591376057 3591450419 394276659 459681587 4266399835 
            Flags: 0xc0, Optional, Transitive: Optional, Transitive, Complete
                1... .... = Optional: Optional
                .1.. .... = Transitive: Transitive
                ..0. .... = Partial: Complete
                ...0 .... = Length: Regular length
            Type Code: AS4_PATH (17)
            Length: 30
            AS Path segment: 3257 12883 6703 197358 197358 197358 197358
                Segment type: AS_SEQUENCE (2)
                Segment length (number of ASN): 7
                AS4: 3257
                AS4: 12883
                AS4: 6703
                AS4: 197358
                AS4: 197358
                AS4: 197358
                AS4: 197358
            AS Path segment: 72172365 1837106180 1234
                Segment type: Unknown (64)
                Segment length (number of ASN): 3
                AS4: 72172365
                AS4: 1837106180
                AS4: 1234
            AS Path segment: 67108864 1690306596 213454752 213458844 213500753
                Segment type: Unknown (64)
                Segment length (number of ASN): 5
                AS4: 67108864
                AS4: 1690306596
                AS4: 213454752
                AS4: 213458844
                AS4: 213500753
            AS Path segment: 3284077753 3591376057 3591450419 394276659
459681587 4266399835 
                Segment type: Unknown (12)
                Segment length (number of ASN): 185
                AS4: 3284077753
                AS4: 3591376057
                AS4: 3591450419
                AS4: 394276659
                AS4: 459681587
                AS4: 4266399835
[Malformed Packet: BGP]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]
Border Gateway Protocol - UPDATE Message
    Marker: ffffffffffffffffffffffffffffffff
    Length: 155
    Type: UPDATE Message (2)
    Withdrawn Routes Length: 0
    Total Path Attribute Length: 128
    Path attributes
        Path Attribut - ORIGIN: IGP
            Flags: 0x40, Transitive: Well-known, Transitive, Complete
                0... .... = Optional: Well-known
                .1.. .... = Transitive: Transitive
                ..0. .... = Partial: Complete
                ...0 .... = Length: Regular length
            Type Code: ORIGIN (1)
            Length: 1
            Origin: IGP (0)
        Path Attribut - AS_PATH: 219951699 439311264 1537235872 1537261585
503449344 859136 3298048 788529922 3992978178 3992978178 3992978178 3997172484
70607401 2147746816 64 84148224 6602760 806165504 34413568 369957888 1678580736
2064456706 17
            Flags: 0x40, Transitive: Well-known, Transitive, Complete
                0... .... = Optional: Well-known
                .1.. .... = Transitive: Transitive
                ..0. .... = Partial: Complete
                ...0 .... = Length: Regular length
            Type Code: AS_PATH (2)
            Length: 16
            AS Path segment: 219951699 439311264 1537235872 1537261585
503449344 859136 3298048
                Segment type: AS_SEQUENCE (2)
                Segment length (number of ASN): 7
                AS4: 219951699
                AS4: 439311264
                AS4: 1537235872
                AS4: 1537261585
                AS4: 503449344
                AS4: 859136
                AS4: 3298048
            AS Path segment: 788529922 3992978178 3992978178 3992978178
3997172484 70607401 2147746816 64 84148224 6602760 806165504 34413568 369957888
1678580736 2064456706 17636360 607073047 2150576923 1496265726 1278366464
20075264 1832014635 60557
                Segment type: Unknown (0)
                Segment length (number of ASN): 26
                AS4: 788529922
                AS4: 3992978178
                AS4: 3992978178
                AS4: 3992978178
                AS4: 3997172484
                AS4: 70607401
                AS4: 2147746816
                AS4: 64
                AS4: 84148224
                AS4: 6602760
                AS4: 806165504
                AS4: 34413568
                AS4: 369957888
                AS4: 1678580736
                AS4: 2064456706
                AS4: 17636360
                AS4: 607073047
                AS4: 2150576923
                AS4: 1496265726
                AS4: 1278366464
                AS4: 20075264
                AS4: 1832014635
                AS4: 605576156
[Malformed Packet: BGP]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]
Border Gateway Protocol - UPDATE Message
    Marker: ffffffffffffffffffffffffffffffff
    Length: 134
    Type: UPDATE Message (2)
    Withdrawn Routes Length: 0
    Total Path Attribute Length: 107
    Path attributes
        Path Attribut - ORIGIN: IGP
            Flags: 0x40, Transitive: Well-known, Transitive, Complete
                0... .... = Optional: Well-known
                .1.. .... = Transitive: Transitive
                ..0. .... = Partial: Complete
                ...0 .... = Length: Regular length
            Type Code: ORIGIN (1)
            Length: 1
            Origin: IGP (0)
        Path Attribut - AS_PATH: 219948314 637723958 1073939460 902123904 [0,
1074070528, 25792, 137366812] 219938838 219938916 219938939 37686556 131271964
723005235 394669875 458829619 4266458580 65000 32777 72108456 25168392
167772167 167772164
            Flags: 0x40, Transitive: Well-known, Transitive, Complete
                0... .... = Optional: Well-known
                .1.. .... = Transitive: Transitive
                ..0. .... = Partial: Complete
                ...0 .... = Length: Regular length
            Type Code: AS_PATH (2)
            Length: 10
            AS Path segment: 219948314 637723958 1073939460 902123904
                Segment type: AS_SEQUENCE (2)
                Segment length (number of ASN): 4
                AS4: 219948314
                AS4: 637723958
                AS4: 1073939460
                AS4: 902123904
            AS Path segment: [0, 1074070528, 25792, 137366812]
                Segment type: AS_CONFED_SET (4)
                Segment length (number of ASN): 4
                AS4: 0
                AS4: 1074070528
                AS4: 25792
                AS4: 137366812
            AS Path segment: 219938838 219938916 219938939
                Segment type: Unknown (0)
                Segment length (number of ASN): 3
                AS4: 219938838
                AS4: 219938916
                AS4: 219938939
            AS Path segment: 37686556 131271964 723005235 394669875 458829619
4266458580 65000 32777 72108456 25168392 167772167 167772164 409461252 
                Segment type: Unknown (13)
                Segment length (number of ASN): 28
                AS4: 37686556
                AS4: 131271964
                AS4: 723005235
                AS4: 394669875
                AS4: 458829619
                AS4: 4266458580
                AS4: 65000
                AS4: 32777
                AS4: 72108456
                AS4: 25168392
                AS4: 167772167
                AS4: 167772164
                AS4: 409461252
[Malformed Packet: BGP]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]
Border Gateway Protocol - UPDATE Message
    Marker: ffffffffffffffffffffffffffffffff
    Length: 112
    Type: UPDATE Message (2)
    Withdrawn Routes Length: 0
    Total Path Attribute Length: 85
    Path attributes
        Path Attribut - ORIGIN: IGP
            Flags: 0x40, Transitive: Well-known, Transitive, Complete
                0... .... = Optional: Well-known
                .1.. .... = Transitive: Transitive
                ..0. .... = Partial: Complete
                ...0 .... = Length: Regular length
            Type Code: ORIGIN (1)
            Length: 1
            Origin: IGP (0)
        Path Attribut - AS_PATH: 219948314 637723958 1073939460 895625600 [0,
1074070528, 25792, 137104668] 219938838 219938916 219938939 37686556 131280691
394276659 458829619 4266458580 65000 6247 
            Flags: 0x40, Transitive: Well-known, Transitive, Complete
                0... .... = Optional: Well-known
                .1.. .... = Transitive: Transitive
                ..0. .... = Partial: Complete
                ...0 .... = Length: Regular length
            Type Code: AS_PATH (2)
            Length: 10
            AS Path segment: 219948314 637723958 1073939460 895625600
                Segment type: AS_SEQUENCE (2)
                Segment length (number of ASN): 4
                AS4: 219948314
                AS4: 637723958
                AS4: 1073939460
                AS4: 895625600
            AS Path segment: [0, 1074070528, 25792, 137104668]
                Segment type: AS_CONFED_SET (4)
                Segment length (number of ASN): 4
                AS4: 0
                AS4: 1074070528
                AS4: 25792
                AS4: 137104668
            AS Path segment: 219938838 219938916 219938939
                Segment type: Unknown (0)
                Segment length (number of ASN): 3
                AS4: 219938838
                AS4: 219938916
                AS4: 219938939
            AS Path segment: 37686556 131280691 394276659 458829619 4266458580
65000 6247 
                Segment type: Unknown (13)
                Segment length (number of ASN): 28
                AS4: 37686556
                AS4: 131280691
                AS4: 394276659
                AS4: 458829619
                AS4: 4266458580
                AS4: 65000
                AS4: 6247
[Malformed Packet: BGP]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]



Charles


You are receiving this mail because:
  • You are watching all bug changes.