[bugzilla-daemon@xxxxxxxxxxxxx]

Bug ID	12182
Summary	MATE fails to extract fields from MGCP
Product	Wireshark
Version	2.0.1
Hardware	x86
OS	Windows 7
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	bugzilla-admin@wireshark.org
Reporter	sindelka@marconi.ttc.cz

Created attachment 14366 [details]
two related MGCP packets, one of them contains an SDP

Build Information:
Version 2.0.1 (v2.0.1-0-g59ea380 from master-2.0)

Copyright 1998-2015 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with WinPcap (4_1_3), with libz 1.2.8, with
GLib 2.42.0, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, with GnuTLS
3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with QtMultimedia,
with AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with locale C, with
WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version
1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15, with Gcrypt 1.6.2, without
AirPcap.
       Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz (with SSE4.2), with 8141MB of
physical memory.


Built using Microsoft Visual C++ 12.0 build 31101
--
When MATE is instructed to extract fields from mgcp, it fails to do so. Debug
shows that although MATE actually could find the fields, it has an issue with
the size of the mgcp part of the frame, assuming that it consists of a single
byte, which likely prevents it from actually using the fields found (probably
because the mechanism preventing outer transports from being extracted gets
involved). So I suspect that the information about the mgcp part size, which
MATE sources from the mgcp dissector, is wrong (e.g., the mgcp dissector
indicates success by returning just 1 instead of the real size of the Tvbuf it
has processed).

When you process the attached sample capture using one of the MATE config as
below, the debug indicates more or less the same regardless whether mgcp is
indicated as Proto, Transport, or Payload.

Pdu mgcp_pdu Proto mgcp Transport udp/ip {
    Extract transid From mgcp.transid ;
    Extract ep From mgcp.req.endpoint ;
};
===>
mate_analyze_frame: trying to extract: rtps_pdu
mate_analyze_frame: trying to extract: mgcp_pdu
mate_analyze_frame: found matching proto, extracting: mgcp_pdu
new_pdu: type=mgcp_pdu framenum=1
new_pdu: proto range 42-42
new_pdu: transport(134320) range 34-42
new_pdu: transport(60313) range 14-34
get_pdu_fields: found field 57-76
get_pdu_fields: found field 47-56
mate_analyze_frame: trying to extract: sip_pdu


Pdu mgcp_pdu Proto sdp Transport mgcp/udp/ip {
    Extract transid From mgcp.transid ;
    Extract ep From mgcp.req.endpoint ;
};
===>
mate_analyze_frame: trying to extract: rtps_pdu
mate_analyze_frame: trying to extract: mgcp_pdu
mate_analyze_frame: found matching proto, extracting: mgcp_pdu
new_pdu: type=mgcp_pdu framenum=2
new_pdu: proto range 60-231
new_pdu: transport(78185) range 42-42
new_pdu: transport(134320) range 34-42
new_pdu: transport(60313) range 14-34
get_pdu_fields: found field 46-55
mate_analyze_frame: trying to extract: sip_pdu

Pdu mgcp_pdu Proto udp Transport ip {
    Payload mgcp;
    Extract transid From mgcp.transid ;
    Extract ep From mgcp.req.endpoint ;
};
===>
mate_analyze_frame: trying to extract: rtps_pdu
mate_analyze_frame: trying to extract: mgcp_pdu
mate_analyze_frame: found matching proto, extracting: mgcp_pdu
new_pdu: type=mgcp_pdu framenum=2
new_pdu: proto range 34-42
new_pdu: transport(60313) range 14-34
new_pdu: payload(78185) missed
get_pdu_fields: found field 46-55
mate_analyze_frame: trying to extract: sip_pdu


The debug settings in the current grammar look as follows:

Debug {
   Filename "c:/mate_debug.txt";
   Level 9;
   Pdu Level 9;
};

---

      You are receiving this mail because:

• You are watching all bug changes.