Wireshark-bugs: [Wireshark-bugs] [Bug 13238] New: MPEG TS Parser stops parsing entire IP packet

Date: Mon, 12 Dec 2016 19:22:53 +0000
Bug ID 13238
Summary MPEG TS Parser stops parsing entire IP packet on MPEG packet error, ignores subsequent MPEG packet, triggers false continuity error in next packet
Product Wireshark
Version 2.3.x (Experimental)
Hardware x86-64
OS Windows 10
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 15124 [details]
Sample PCAP showing the parser errors

Build Information:
Version 2.3.0-1705-g00223bc (v2.3.0rc0-1705-g00223bc)

Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.6.1, with WinPcap (4_1_3), with GLib 2.42.0, with
zlib 1.2.8, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS
3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with nghttp2 1.14.0,
with LZ4, with Snappy, with QtMultimedia, with AirPcap, with SBC, with SpanDSP.

Running on 64-bit Windows 10, build 14393, with Intel(R) Core(TM) i7-6700HQ CPU
@ 2.60GHz (with SSE4.2), with 16250 MB of physical memory, with locale
English_United States.1252, with WinPcap version 4.1.2 (packet.dll version
4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with
GnuTLS 3.2.15, with Gcrypt 1.6.2, without AirPcap.

Built using Microsoft Visual C++ 12.0 build 40629

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
The Wireshark MPEG parser appears to experience an issue where when the parser
aborts parsing of the entire IP packet when a single MPEG packet (there can be
more than one MPEG packet within an IP packet) contains an error.  This has the
result of Wireshark incorrectly flagging the subsequent packet as having a
Continuity Counter (CC) error.  This is undesirable as the MPEG CC is per-PID,
so even if there is a PID with malformed data, MPEG packets for other PIDs
should be parsed, as their CC is maintained independently.

Issue was first noticed on 2.2.2 (I did not test earlier versions) and is still
present on the 2.2.3 build I am running.

Attaching repro diag capture, many instances can be seen with filter
"ip.dst_host ==239.0.1.94 && _ws.expert.severity == error" but packet 406/407
(406 has the aborted PMT parsing, 407 shows the false continuity error).  Also
attaching Manzanita MP2SAE (Commercial MPEG Analyzer) report of the extracted
MPEG TS showing that there are no CC errors.


You are receiving this mail because:
  • You are watching all bug changes.