Wireshark-bugs: [Wireshark-bugs] [Bug 11152] Wireshark decodes some valid RTP packets as STUN pa

Date: Tue, 28 Apr 2015 16:56:16 +0000

Comment # 4 on bug 11152 from
(In reply to Guy Harris from comment #3)
> The STUN heuristic dissector is recognizing the RTP packets as TURN
> ChannelData packets.  There *is* a check, early in dissect_stun_message() in
> packet-stun.c, for valid ChannelData messages, including a check of the
> value of the putative length field, so either that check is somehow being
> bypassed or is letting the packets in question pass the test.

Surprisingly, those packets pass the test, which *does* check the Length field
to see whether it's appropriate for the actual length of the packet.

That field overlaps the "Sequence Number" field of RTP packets.  A long enough
sequence of RTP packets, with sequence numbers incrementing by 1 for each
packet, might well contain a packet that, by pure bad luck, *happens* to have a
sequence number that would also be a valid length, so the two heuristics
collide here.  That's what happens for those two packets.

Perhaps we should mark the entire UDP "conversation" (between the two IP
address/UDP port endpoints) as being an RTP conversation once a single packet
has been dissected as RTP.


You are receiving this mail because:
  • You are watching all bug changes.