Wireshark-dev: [Wireshark-dev] h.223 dissector: maybe a bug, mabe a fix?
From: Still Life <still.life@xxxxxxxx>
Date: Thu, 18 Jan 2007 18:25:53 +0100
...or maybe a version mismatch between Wireshark and the H.223 dissector? Hi to all, I'm trying to do a "fake" h.223 over TCP/IP traffic between two terminals using, as sources, two raw h.223 dump files. The idea is to make an approximate Ethernet-TCP/IP header and fill it's datagram payload with the content of the two file (swapping the source and destination IP to distinguish direction) and using the WinPcap library to generate a Wireshark compatible dump. One general question: Is there another way, more correct, to put the H.223 stream into Wireshark and use the h223 dissector? (The goal is the ability to analyze the stream within Wireshark in the simplest way possible). The h.223 dissector that came with Wireshark 0.99.4 (http://wiki.wireshark.org/H223) fail to dissect this traffic. I've done some debug work over the h.223 dissector's code and maybe I've found a problem. The point is this boolean flag: dirdata->first_pdu this flag is set to TRUE in the following function when the dissector is called the first time over a single packet: static h223_call_info *find_or_create_call_info ( packet_info * pinfo ) { [...] if( data == NULL ) { data = se_alloc(sizeof(h223_call_info)); [OTHER1] [**** code that put to FALSE dirdata->first_pdu ****] [OTHER2] } [...] } At this point the first execution of the packet dissection seems correct, during the execution the flag is set to FALSE. Wireshark, I don't know why, call the dissector other times on the same packet but when this happens "data" is already allocated so [**** code that put to FALSE dirdata->first_pdu ****] is not executed. This lead to a [Dissector bug, protocol H.223: proto.c:1190: failed assertion "(guint)hfindex < gpa_hfinfo.len"] I change the dissector code in this way: static h223_call_info *find_or_create_call_info ( packet_info * pinfo ) { [...] if( data == NULL ) { data = se_alloc(sizeof(h223_call_info)); [OTHER1] [OTHER2] } [**** code that put to FALSE dirdata->first_pdu ****] [...] } But I'm not able to determine if this modification introduce some wrong "side effects". I put in attachment a zipped file with: h223.dll the modified h223 plugin dissector h223_first_60.cap the first 60 packet of the tcp stream packet-h223.c the dissector's source file modified Please, in Wireshark uncheck this TCP option: edit-->preference-->protocols-->TCP-->Analyze TCP sequence numbers Open the h223_first_60.cap and use Analyze-->decode as...-->transport label-->tcp port "both"-->h223. Now try to put my h223.dll in the Wireshark plugins directory (backup the original one) and re-open h223_first_60.cap Is there anyone who would give me any comments or suggestions? Thanks, Fabio Sguanci -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor:Cassine di Pietra: una variet� completa di vini del Veneto, * in pi� un regalo per il primo ordine! Clicca subito qui * Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=3925&d=18-1
- Prev by Date: [Wireshark-dev] h.223 dissector: maybe a bug, mabe a fix?
- Next by Date: [Wireshark-dev] h.223 dissector: maybe a bug, mabe a fix?
- Previous by thread: Re: [Wireshark-dev] Win32: The best way to solve dependencies for user-guide.chm / HHC_DIR?
- Next by thread: [Wireshark-dev] h.223 dissector: maybe a bug, mabe a fix?
- Index(es):