Wireshark-bugs: [Wireshark-bugs] [Bug 12387] New: IP Header Length display filter should show ca

Date: Thu, 28 Apr 2016 05:29:56 +0000
Bug ID 12387
Summary IP Header Length display filter should show calculated value
Product Wireshark
Version 2.0.3
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Minor
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Build Information:
Version 2.0.4rc0-8-g971300c (v2.0.4rc0-8-g971300c from master-2.0)

Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with WinPcap (4_1_3), with libz 1.2.8, with
GLib 2.42.0, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, with GnuTLS
3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with QtMultimedia,
with AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with locale C, with
WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version
1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15, with Gcrypt 1.6.2, without
AirPcap.
Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz (with SSE4.2), with 16300MB of physical
memory.


Built using Microsoft Visual C++ 12.0 build 40629
--
For both the IP header length and TCP header length, what is actually stored in
the packet is the number of four-byte blocks, and what is displayed in the
Packet Details pane is the calculated value; that is, the number stored in the
packet multiplied by four. So if the IP header is 20 bytes, 5 is stored in the
packet, but 20 is displayed in the Packet Details pane.

Prior to Wireshark v2.0.0, the display filter also used the calculated value
and matched the value in the Packet Details pane. So, if the IP header length
was 20, right-clicking on the header length field and selecting "Apply as
Filter > Selected" or "Prepare a Filter > Selected" would populate the display
filter input box with "ip.hdr_len == 20".

Beginning with v2, the display filter for the IP header length field is now
"ip.hdr_len == 5". It uses the number stored in the packet rather than the
calculated value. This is less intuitively useful to the analyst, and the
behavior of the display filter for the IP header length field is now
inconsistent with the behavior of the TCP header length field, which continues
to use the calculated value ("tcp.hdr_len == 20" in the case of a 20-byte TCP
header).

The same is true of the IP Fragment Offset field: the calculated value is shown
in the Packet Details pane and used in the display filter.

In the interest of consistency and usability, I suggest that the ip.hdr_len
field display filter should be restored to displaying and using the same
calculated value that is shown in the Packet Details Pane. Generally, for any
field, whatever is shown in the Packet Details pane is what we should see in
the display filter.


You are receiving this mail because:
  • You are watching all bug changes.