Wireshark-bugs: [Wireshark-bugs] [Bug 13161] New: ICMP dissector fails to properly detect timest

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 21 Nov 2016 16:04:46 +0000
Bug ID 13161
Summary ICMP dissector fails to properly detect timestamps
Product Wireshark
Version 2.2.1
Hardware x86-64
OS Linux (other)
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected] 

Created attachment 15077 [details]
Bugged packets are at least 2216, 39736,  90108

Build Information:
TShark (Wireshark) 2.2.1

Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.1, with zlib 1.2.8, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.4.16, with Gcrypt 1.7.3, with MIT Kerberos, with GeoIP.

Running on Linux 4.8.8-gnu-2, with locale en_US.UTF-8, with libpcap version
1.8.1, with GnuTLS 3.4.16, with Gcrypt 1.7.3, with zlib 1.2.8.
Intel(R) Core(TM)2 CPU         P8600  @ 2.40GHz

Built using gcc 6.2.1 20160830.

--
Wireshark fails to parse timestamp of certain ICMP packets, merging the value
with the data segment.

Example bugged packets are in the pcap attached (at least numbers 2216, 39736,
90108).

Incorrectly parsed hex dump
0000   f4 5c 89 bb 35 8d 48 5d 36 71 f6 83 08 00 45 00
0010   00 3c c3 64 00 00 40 01 33 45 c0 a8 01 01 c0 a8
0020   01 c6 00 00 7d 55 fc bb 00 00 58 1e 2b ba 00 0f
0030   42 1e 65 53 65 53 65 53 65 53 65 53 65 53 65 53
0040   65 53 65 53 65 53 65 53 65 53 

Correctly parsed hex dump
0000   f4 5c 89 bb 35 8d 48 5d 36 71 f6 83 08 00 45 00
0010   00 3c c3 63 00 00 40 01 33 46 c0 a8 01 01 c0 a8
0020   01 c6 00 00 cc c9 fb bb 00 00 58 1e 2b ba 00 0f
0030   34 30 35 48 35 48 35 48 35 48 35 48 35 48 35 48
0040   35 48 35 48 35 48 35 48 35 48

I believe the guilty code part in packet-icmp.c is the one commented with
1504                 /* Interpret the first 8 bytes of the icmp data as a
timestamp
1505                  * But only if it does look like it's a timestamp.
1506                  *
1507                  * FIXME:
1508                  *    Timestamps could be in different formats depending
on the OS
1509                  */

I however do not have enough knowledge of the project to resolve the issue.

You are receiving this mail because:
  • You are watching all bug changes.