Wireshark-bugs: [Wireshark-bugs] [Bug 11484] New: pcapng: NRB IPv4 address is endian swapped but

Date: Sat, 29 Aug 2015 14:26:28 +0000
Bug ID 11484
Summary pcapng: NRB IPv4 address is endian swapped but shouldn't be
Product Wireshark
Version 1.99.x (Experimental)
Hardware All
OS All
Status UNCONFIRMED
Severity Normal
Priority Low
Component Capture file support (libwiretap)
Assignee [email protected]
Reporter [email protected]

Created attachment 13834 [details]
example file with problem - should be "127.0.0.1" but isn't

Build Information:
Wireshark 1.99.9 (v1.99.9rc0-436-g51e77b6 from master)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.17, with Cairo 1.14.2, with Pango 1.30.1, with
libpcap, without POSIX capabilities, with libz 1.2.8, with GLib 2.36.0, with
SMI
0.4.8, with c-ares 1.10.0, with Lua 5.2, with GnuTLS 2.12.19, with Gcrypt
1.5.0,
with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 24 2015
08:02:01), without AirPcap.

Running on Mac OS X 10.10.5, build 14F27 (Darwin 14.5.0), with locale
en_US.UTF-8, with libpcap version 1.5.3 - Apple version 47, with libz 1.2.5,
with GnuTLS 2.12.19, with Gcrypt 1.5.0.
Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz (with SSE4.2)

Built using clang 4.2.1 Compatible Apple LLVM 6.1.0 (clang-602.0.53).
--
The pcapng reader swaps the IPv4 address of a NRB Record if the pcapng SHB is
of a different endianness than the local machine. But the pcapng writer always
writes it in big endian/network-order format, because that's how it's always
stored inside of wireshark. Therefore, this bug makes a little-endian wireshark
incorrectly read the pcapng file's NRB from a big-endian wireshark, and
vice-versa.

Per the spec, it's always encoded in network order (4 separate bytes), and thus
should not be swapped on read.

The fix for this needs to be back-ported to 1.12 as well.


You are receiving this mail because:
  • You are watching all bug changes.