Wireshark-bugs: [Wireshark-bugs] [Bug 11424] Vssmonitoring Timestamp

Date: Thu, 06 Aug 2015 12:37:16 +0000

changed bug 11424


What Removed Added
CC   [email protected]

Comment # 1 on bug 11424 from
Those trailers get rejected because they start with zeroes (a the timestamp
position), which hits the following code:
      if (vssmonitoring_time.secs == 0)
        return 0;
      if (vssmonitoring_time.secs > 3600) {

        /* Check whether the timestamp in the PCAP header and the
VSS-Monitoring
         * differ less than 30 days, otherwise, this might not be a
VSS-Monitoring
         * timestamp
         */
        if ( vssmonitoring_time.secs > pinfo->fd->abs_ts.secs ) {
          if ( vssmonitoring_time.secs - pinfo->fd->abs_ts.secs > 2592000 ) /*
30 days */
            return 0;
        } else {
          if ( pinfo->fd->abs_ts.secs - vssmonitoring_time.secs > 2592000 ) /*
30 days */
            return 0;
        }
      }

And the heuristic considers the trailer as not being a Vssmonitoring timestamp.

The doc
http://www.vssmonitoring.com/resources/feature-brief/Port-and-Time-Stamping.pdf
does not make any reference to a trailer that would not be 1, 8 or 13 bytes
long, and a visual review indicates that it should be 8 bytes long only. It
does not make any reference to an alignment rule neither.
If vssmonitoring could explain why it is generating a packet like this, we
could fix the heuristic dissector.


You are receiving this mail because:
  • You are watching all bug changes.