Wireshark-dev: [Wireshark-dev] difference between windows and linux behavior
From: "John R." <jhoger@xxxxxxxxx>
Date: Fri, 23 Jun 2006 17:17:19 -0700
I use tcp_dissect_pdus in my dissector to desegment tcp and break apart my higher level protocol. The tcp stack in my device ends up batching a lot of packets together. I have a 5 byte header including a start byte, a short of flags and a length short. That's how much I tell tcp_dissect_pdus I need to determine length of the full packet. I have validated that I am calculating and returning the actual length properly (20 bytes). The situation I have found is where 4 bytes of the 5 byte header is in one packet and the last byte is in the next. This works under Linux, i.e. the tcp segments are reassembled. But under Windows it behaves differently... it seems to lose the 5 bytes (i.e. it never calls my dissector with those bytes). But then it calls my dissector in the middle of the packet just after the 5 bytes discarded causing an attempt to dissect which fails since it is now out of sync with the stream. I am still on a fairly recent checkout of Ethereal, and I'm wondering if a) Has this been seen before? Would updating to Wireshark help? b) Where should I look to resolve this bug? Is it likely to be completely within packet-tcp.c? static guint get_mach1_pdu_len (tvbuff_t *tvb, int offset) { guint16 header; guint16 data_len; guint16 total_len; /* get the flags to determine if the timestamp is included */ header = tvb_get_ntohs (tvb, offset + 1); /* fetch the data length, mask off extra bits just in case */ data_len = tvb_get_ntohs (tvb, offset + 3); data_len = data_len & 0x03ffU; /* return total of data length, timestamp, header and checksum lengths */ total_len = (data_len + ((header & 0x4000U) ? 8 : 0) + 5 + 1); return (total_len); } static void dissect_mach1_tcp (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { packet_ndx = 0; tcp_dissect_pdus (tvb, pinfo, tree, (gboolean) (!0), 5, get_mach1_pdu_len, dissect_mach1); } The packet I am dissecting is EF 61 02 00 (tail of first TCP segment) 06 44 9B 2A 74 00 06 15 EF 01 01 01 02 04 33 ED (from the subsequent segment) What I see is that EF 61 02 00 06 are discarded and 44... is fed to my dissector instead. I have included the exports of the packet dumps at the end of this message. Crossing my fingers that this is a known issue or triggers an idea somewhere... Thanks, -- John. First packet: No. Time Source Destination Protocol Info 60 1.124572 192.168.20.108 192.168.20.117 Mach1 M-> OCS::InventoryNtf [1151019636.396602] Packets=41 Frame 60 (1514 bytes on wire, 1514 bytes captured) Ethernet II, Src: Impinj_00:00:05 (00:16:25:00:00:05), Dst: Dell_0b:62:0b (00:11:43:0b:62:0b) Internet Protocol, Src: 192.168.20.108 (192.168.20.108), Dst: 192.168.20.117 (192.168.20.117) Transmission Control Protocol, Src Port: 49380 (49380), Dst Port: 3693 (3693), Seq: 29825, Ack: 0, Len: 1460 Source port: 49380 (49380) Destination port: 3693 (3693) Sequence number: 29825 (relative sequence number) Next sequence number: 31285 (relative sequence number) Acknowledgement number: 0 (relative ack number) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 5840 Checksum: 0x1b2a [correct] TCP segment data (4 bytes) (some detail removed) 0000 00 11 43 0b 62 0b 00 16 25 00 00 05 08 00 45 00 ..C.b...%.....E. 0010 05 dc 80 e2 40 00 40 06 0a 08 c0 a8 14 6c c0 a8 ....@[email protected].. 0020 14 75 c0 e4 0e 6d a9 07 04 b3 7f 6d 77 39 50 10 .u...m.....mw9P. 0030 16 d0 1b 2a 00 00 ef 61 01 00 17 44 9b 2a 74 00 ...*...a...D.*t. 0040 05 3c 81 00 0c 30 08 33 b2 dd d9 03 c0 00 08 67 .<...0.3.......g 0050 a1 00 00 67 30 00 0e fc 04 02 27 ef 61 01 00 17 ...g0.....'.a... 0060 44 9b 2a 74 00 05 40 47 00 0c 30 08 33 b2 dd d9 D.*[email protected]... 0070 03 c0 00 08 67 88 00 00 6b 30 00 bb b7 04 02 bc ....g...k0...... 0080 ef 61 01 00 17 44 9b 2a 74 00 05 43 a2 00 0c 30 .a...D.*t..C...0 0090 08 33 b2 dd d9 03 c0 00 08 8c 2c 00 00 66 30 00 .3........,..f0. 00a0 82 91 04 02 ab ef 61 01 00 17 44 9b 2a 74 00 05 ......a...D.*t.. 00b0 46 ae 00 0c 30 08 33 b2 dd d9 03 c0 00 08 4b 94 F...0.3.......K. 00c0 00 00 6a 30 00 2b 81 04 02 02 ef 61 01 00 17 44 ..j0.+.....a...D 00d0 9b 2a 74 00 05 4b 64 00 0c 30 08 33 b2 dd d9 03 .*t..Kd..0.3.... 00e0 c0 00 08 4b 83 00 00 53 30 00 49 57 04 02 0c ef ...K...S0.IW.... 00f0 61 01 00 17 44 9b 2a 74 00 05 55 f5 00 0c 30 08 a...D.*t..U...0. 0100 33 b2 dd d9 03 c0 00 08 8c 49 00 00 60 30 00 be 3........I..`0.. 0110 92 04 02 7c ef 61 01 00 17 44 9b 2a 74 00 05 5d ...|.a...D.*t..] 0120 86 00 0c 30 08 33 b2 dd d9 03 c0 00 08 8c 1a 00 ...0.3.......... 0130 00 6e 30 00 d4 04 04 02 c5 ef 61 01 00 17 44 9b .n0.......a...D. 0140 2a 74 00 05 60 88 00 0c 30 08 33 b2 dd d9 03 c0 *t..`...0.3..... 0150 00 08 4b 8e 00 00 75 30 00 98 fa 04 02 c0 ef 61 ..K...u0.......a 0160 01 00 17 44 9b 2a 74 00 05 65 04 00 0c 30 08 33 ...D.*t..e...0.3 0170 b2 dd d9 03 c0 00 08 8c 28 00 00 7e 30 00 c2 15 ........(..~0... 0180 04 02 74 ef 61 01 00 17 44 9b 2a 74 00 05 69 96 ..t.a...D.*t..i. 0190 00 0c 30 08 33 b2 dd d9 03 c0 00 08 4b 76 00 00 ..0.3.......Kv.. 01a0 75 30 00 f6 ed 04 02 6c ef 61 01 00 17 44 9b 2a u0.....l.a...D.* 01b0 74 00 05 6f 13 00 0c 30 08 33 b2 dd d9 03 c0 00 t..o...0.3...... 01c0 08 8c 4e 00 00 7e 30 00 ce 75 04 02 00 ef 61 01 ..N..~0..u....a. 01d0 00 17 44 9b 2a 74 00 05 72 58 00 0c 30 08 33 b2 ..D.*t..rX..0.3. 01e0 dd d9 03 c0 00 08 8c 39 00 00 68 30 00 c0 05 04 .......9..h0.... 01f0 02 83 ef 61 01 00 17 44 9b 2a 74 00 05 75 30 00 ...a...D.*t..u0. 0200 0c 30 08 33 b2 dd d9 03 c0 00 08 4b 6f 00 00 7e .0.3.......Ko..~ 0210 30 00 75 f5 04 02 77 ef 61 01 00 17 44 9b 2a 74 0.u...w.a...D.*t 0220 00 05 82 cf 00 0c 30 08 33 b2 dd d9 03 c0 00 08 ......0.3....... 0230 4b 93 00 00 6d 30 00 5b 66 04 02 2e ef 61 01 00 K...m0.[f....a.. 0240 17 44 9b 2a 74 00 05 85 f9 00 0c 30 08 33 b2 dd .D.*t......0.3.. 0250 d9 03 c0 00 08 8c 26 00 00 72 30 00 23 db 04 02 ......&..r0.#... 0260 7e ef 61 01 00 17 44 9b 2a 74 00 05 8b 8b 00 0c ~.a...D.*t...... 0270 30 08 33 b2 dd d9 03 c0 00 08 8c 3e 00 00 6d 30 0.3........>..m0 0280 00 b0 e2 04 02 56 ef 61 01 00 17 44 9b 2a 74 00 .....V.a...D.*t. 0290 05 93 2f 00 0c 30 08 33 b2 dd d9 03 c0 00 08 4b ../..0.3.......K 02a0 75 00 00 6e 30 00 c6 8e 04 02 f7 ef 61 01 00 17 u..n0.......a... 02b0 44 9b 2a 74 00 05 96 33 00 0c 30 08 33 b2 dd d9 D.*t...3..0.3... 02c0 03 c0 00 08 8c 38 00 00 77 30 00 d0 24 04 02 ab .....8..w0..$... 02d0 ef 61 01 00 17 44 9b 2a 74 00 05 9a 7d 00 0c 30 .a...D.*t...}..0 02e0 08 33 b2 dd d9 03 c0 00 08 05 c2 00 00 6a 30 00 .3...........j0. 02f0 3f 71 04 02 4f ef 61 01 00 17 44 9b 2a 74 00 05 ?q..O.a...D.*t.. 0300 9d 98 00 0c 30 08 33 b2 dd d9 03 c0 00 08 8c 40 ....0.3........@ 0310 00 00 6b 30 00 2f bb 04 02 74 ef 61 01 00 17 44 ..k0./...t.a...D 0320 9b 2a 74 00 05 a3 91 00 0c 30 08 33 b2 dd d9 03 .*t......0.3.... 0330 c0 00 08 8c 27 00 00 70 30 00 33 fa 04 02 46 ef ....'..p0.3...F. 0340 61 01 00 17 44 9b 2a 74 00 05 a9 1b 00 0c 30 08 a...D.*t......0. 0350 33 b2 dd d9 03 c0 00 08 86 8b 00 00 76 30 00 a8 3...........v0.. 0360 57 04 02 b8 ef 61 02 00 01 44 9b 2a 74 00 05 a9 W....a...D.*t... 0370 fa 00 ee ef 61 02 00 06 44 9b 2a 74 00 05 b4 d8 ....a...D.*t.... 0380 01 01 02 02 04 33 e1 ef 61 01 00 17 44 9b 2a 74 .....3..a...D.*t 0390 00 05 ba 45 00 0c 30 08 33 b2 dd d9 03 c0 00 08 ...E..0.3....... 03a0 4b 72 00 00 61 30 00 b6 69 04 02 8e ef 61 01 00 Kr..a0..i....a.. 03b0 17 44 9b 2a 74 00 05 c0 90 00 0c 30 08 33 b2 dd .D.*t......0.3.. 03c0 d9 03 c0 00 08 8c 48 00 00 75 30 00 ae b3 04 02 ......H..u0..... 03d0 b2 ef 61 01 00 17 44 9b 2a 74 00 05 c5 f3 00 0c ..a...D.*t...... 03e0 30 08 33 b2 dd d9 03 c0 00 08 8c 33 00 00 5d 30 0.3........3..]0 03f0 00 61 4f 04 02 9f ef 61 01 00 17 44 9b 2a 74 00 .aO....a...D.*t. 0400 05 c9 24 00 0c 30 08 33 b2 dd d9 03 c0 00 08 8c ..$..0.3........ 0410 13 00 00 6d 30 00 45 2d 04 02 1b ef 61 01 00 17 ...m0.E-....a... 0420 44 9b 2a 74 00 05 d1 25 00 0c 30 08 33 b2 dd d9 D.*t...%..0.3... 0430 03 c0 00 08 8c 1f 00 00 66 30 00 84 a1 04 02 ac ........f0...... 0440 ef 61 01 00 17 44 9b 2a 74 00 05 d4 dd 00 0c 30 .a...D.*t......0 0450 08 33 b2 dd d9 03 c0 00 08 67 89 00 00 63 30 00 .3.......g...c0. 0460 ab 96 04 02 20 ef 61 01 00 17 44 9b 2a 74 00 05 .... .a...D.*t.. 0470 d9 52 00 0c 30 08 33 b2 dd d9 03 c0 00 08 86 8b .R..0.3......... 0480 00 00 70 30 00 a8 57 04 02 42 ef 61 01 00 17 44 ..p0..W..B.a...D 0490 9b 2a 74 00 05 dd 78 00 0c 30 08 33 b2 dd d9 03 .*t...x..0.3.... 04a0 c0 00 08 4b 95 00 00 61 30 00 3b a0 04 02 22 ef ...K...a0.;...". 04b0 61 01 00 17 44 9b 2a 74 00 05 e1 84 00 0c 30 08 a...D.*t......0. 04c0 33 b2 dd d9 03 c0 00 08 8c 2b 00 00 5c 30 00 f2 3........+..\0.. 04d0 76 04 02 cd ef 61 01 00 17 44 9b 2a 74 00 05 e4 v....a...D.*t... 04e0 99 00 0c 30 08 33 b2 dd d9 03 c0 00 08 8c 2e 00 ...0.3.......... 04f0 00 60 30 00 a2 d3 04 02 4f ef 61 01 00 17 44 9b .`0.....O.a...D. 0500 2a 74 00 05 e9 0e 00 0c 30 08 33 b2 dd d9 03 c0 *t......0.3..... 0510 00 08 8c 29 00 00 63 30 00 d2 34 04 02 9b ef 61 ...)..c0..4....a 0520 01 00 17 44 9b 2a 74 00 05 ed 49 00 0c 30 08 33 ...D.*t...I..0.3 0530 b2 dd d9 03 c0 00 08 8c 36 00 00 63 30 00 31 ea ........6..c0.1. 0540 04 02 b1 ef 61 01 00 17 44 9b 2a 74 00 05 f0 4f ....a...D.*t...O 0550 00 0c 30 08 33 b2 dd d9 03 c0 00 08 8c 31 00 00 ..0.3........1.. 0560 5c 30 00 41 0d 04 02 27 ef 61 01 00 17 44 9b 2a \0.A...'.a...D.* 0570 74 00 05 f7 7b 00 0c 30 08 33 b2 dd d9 03 c0 00 t...{..0.3...... 0580 08 49 e0 00 00 66 30 00 73 f0 04 02 d7 ef 61 01 .I...f0.s.....a. 0590 00 17 44 9b 2a 74 00 05 fa 7d 00 0c 30 08 33 b2 ..D.*t...}..0.3. 05a0 dd d9 03 c0 00 08 8c 35 00 00 64 30 00 01 89 04 .......5..d0.... 05b0 02 8d ef 61 01 00 17 44 9b 2a 74 00 05 fd 23 00 ...a...D.*t...#. 05c0 0c 30 08 33 b2 dd d9 03 c0 00 08 05 a2 00 00 61 .0.3...........a 05d0 30 00 53 d7 04 02 66 ef 61 02 00 01 44 9b 2a 74 0.S...f.a...D.*t 05e0 00 06 0d 3a 00 5d ef 61 02 00 ...:.].a.. Second packet: No. Time Source Destination Protocol Info 62 1.124918 192.168.20.108 192.168.20.117 TCP [TCP segment of a reassembled PDU] Frame 62 (70 bytes on wire, 70 bytes captured) Arrival Time: Jun 22, 2006 16:40:29.268713000 Time delta from previous packet: 0.000346000 seconds Time since reference or first frame: 1.124918000 seconds Frame Number: 62 Packet Length: 70 bytes Capture Length: 70 bytes Protocols in frame: eth:ip:tcp:mach1:mach1 Coloring Rule Name: TCP Coloring Rule String: tcp Ethernet II, Src: Impinj_00:00:05 (00:16:25:00:00:05), Dst: Dell_0b:62:0b (00:11:43:0b:62:0b) Destination: Dell_0b:62:0b (00:11:43:0b:62:0b) Address: Dell_0b:62:0b (00:11:43:0b:62:0b) .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address Source: Impinj_00:00:05 (00:16:25:00:00:05) Address: Impinj_00:00:05 (00:16:25:00:00:05) .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address Type: IP (0x0800) Internet Protocol, Src: 192.168.20.108 (192.168.20.108), Dst: 192.168.20.117 (192.168.20.117) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x80e3 (32995) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0x0fab [correct] Good: True Bad : False Source: 192.168.20.108 (192.168.20.108) Destination: 192.168.20.117 (192.168.20.117) Transmission Control Protocol, Src Port: 49380 (49380), Dst Port: 3693 (3693), Seq: 31285, Ack: 0, Len: 16 Source port: 49380 (49380) Destination port: 3693 (3693) Sequence number: 31285 (relative sequence number) Next sequence number: 31301 (relative sequence number) Acknowledgement number: 0 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 5840 Checksum: 0x33db [correct] TCP segment data (16 bytes) Reassembled PDU in frame: 62 TCP segment data (5 bytes) TCP segment data (9 bytes) Reassembled TCP Segments (5 bytes): #60(4), #62(1) Frame: 60, payload: 0-3 (4 bytes) Frame: 62, payload: 4-4 (1 bytes) Impinj Mach1 #1 ???11::UNKNOWN Frame (70 bytes): 0000 00 11 43 0b 62 0b 00 16 25 00 00 05 08 00 45 00 ..C.b...%.....E. 0010 00 38 80 e3 40 00 40 06 0f ab c0 a8 14 6c c0 a8 .8..@[email protected].. 0020 14 75 c0 e4 0e 6d a9 07 0a 67 7f 6d 77 39 50 18 .u...m...g.mw9P. 0030 16 d0 33 db 00 00 06 44 9b 2a 74 00 06 15 ef 01 ..3....D.*t..... 0040 01 01 02 04 33 ed ....3. Reassembled TCP (5 bytes): 0000 ef 61 02 00 06 .a...
- Prev by Date: Re: [Wireshark-dev] [Patch] CDP dissector (revised)
- Next by Date: [Wireshark-dev] OS X build can't find gcrypt.h
- Previous by thread: [Wireshark-dev] Question about the 0.99.1pre1 Release
- Next by thread: [Wireshark-dev] OS X build can't find gcrypt.h
- Index(es):