Wireshark-dev: Re: [Wireshark-dev] Packet Size limited during capture message
From: Brian Oleksa <oleksab@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 24 Mar 2010 09:59:36 -0400
Guy / Bill / Chris / Jakub / Mike So I did some more troubleshooting only to find the following:The dissector crashes in WinXP but not on my Fedora Core 9 box. This is weird.
Using editcap... I was able to find the frame on windows to which wireshark crashed on (which was frame 17641). I opened the same .pcap file on my FC-9 box (it did not crash)...but I went to frame 17641 only to find out that it is a Malformed Packet.
How I determine if it is a Helen packet or not....is that all helen packets start with 0xbead which is the "magic number". I have never had this problem before as I found thousands of Helen packets this way. But this malformed packet has a magic number of 0x293e .... which then through the rest of the packet info off and crashed wireshark (on Windows).
Any thoughts..??Do I need to make sure that the hf_helen_magic is equal to 0xBEAD.....and if not I discard this packet..??
Why did it find this packet and assume that it was a Helen Packet..?? Was it because 0x293e is equal to 0xBEAD in length so it just assumed it was a helen packet..??
Attached is the code. Thanks for your help, Brian
/* ***** BEGIN LICENSE BLOCK *****
This program will dissect Dark Corner Software's Helen Packets.
Copyright (C) 2010 Kenneth Flynn flynnk@xxxxxxxxxxxxxxxxxxxxxx
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <stdio.h>
#include <glib.h>
#include <epan/packet.h>
#include <time.h>
#include <string.h>
#define PROTO_TAG_HELEN "HELEN"
static int proto_helen = -1;
static dissector_handle_t helen_handle;
void dissect_helen(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree);
/*The following port is registered with IANA*/
static int helen_port = 5136;
static const char *mon_names[12] = {"Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"};
static const value_string helen_gps_status[] = {
{ 0, "Good" },
{ 1, "No Fix" },
{ 2, "Bad GPS Read" },
{ 0, NULL }
};
/*not used*/
static const range_string helen_code[] = {
{0x8000, 0xfffe, "Experimental"},
{0xffff, 0xffff, "Encryption Extension"},
{0, 0, "Tail"},
{1, 1, "GPS Extension"},
{2, 2, "Flow Extension"},
{3, 3, "Host Extension"},
{4, 4, "File Extension"},
{5, 999, "Reserved"},
{1000, 1000, "Minotaur SA Extension"},
{16000, 32767, "Unassigned"},
{0, 0, NULL}
};
static gint hf_helen_magic = -1;
static gint hf_helen_checksum = -1;
static gint hf_helen_txTime = -1;
static gint hf_helen = -1;
static gint hf_helen_time = -1;
static gint hf_helen_ipv4 = -1;
static gint hf_helen_ipv6 = -1;
static gint hf_helen_nos = -1;
static gint hf_helen_flowname = -1;
static gint hf_helen_longitude = -1;
static gint hf_helen_latitude = -1;
static gint hf_helen_altitude = -1;
static gint hf_helen_bearing = -1;
static gint hf_helen_speed = -1;
static gint hf_helen_sequence_num = -1;
static gint hf_helen_gpsstatus = -1;
static gint hf_helen_source = -1;
/*not used*/
static gint hf_helen_code = -1;
static gint ett_helen = -1;
void dissect_helen(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
proto_item *helen_item = NULL;
proto_item *helen_sub_item = NULL;
proto_tree *helen_tree = NULL;
proto_tree *helen_header_tree = NULL;
col_set_str(pinfo->cinfo, COL_PROTOCOL, PROTO_TAG_HELEN);
col_clear(pinfo->cinfo, COL_INFO);
if (tree) {
guint32 offset = 0;
guint32 orig_offset = 18;
nstime_t t;
guint64 msecs_since_the_epoch;
struct tm *tmp;
helen_item = proto_tree_add_item(tree, proto_helen, tvb, 0, -1, FALSE);
helen_tree = proto_item_add_subtree(helen_item, ett_helen);
helen_header_tree = proto_item_add_subtree(helen_item, ett_helen);
helen_sub_item = proto_tree_add_item(helen_tree, hf_helen_magic, tvb, offset, 2, FALSE);
offset += 2;
helen_sub_item = proto_tree_add_item(helen_tree, hf_helen_checksum, tvb, offset, 8, FALSE);
offset += 8;
msecs_since_the_epoch = tvb_get_ntoh64(tvb, offset);
t.secs = msecs_since_the_epoch/1000;
t.nsecs = (msecs_since_the_epoch%1000)*1000000; /* milliseconds to nanoseconds */
tmp = gmtime(&t.secs);
proto_tree_add_time_format(helen_tree, hf_helen_txTime, tvb, offset, 8, &t,
"Date: %s %2d, %d %02d:%02d:%02d UTC",mon_names[tmp->tm_mon],tmp->tm_mday,
tmp->tm_year + 1900,tmp->tm_hour,tmp->tm_min,tmp->tm_sec);
/*not used*/
//proto_tree_add_uint_format(helen_tree, hf_helen_txTime, tvb, offset, 8, msecs_since_the_epoch,
// "Date: %s %2d, %d %02d:%02d:%02d UTC",mon_names[tmp->tm_mon],tmp->tm_mday,
// tmp->tm_year + 1900,tmp->tm_hour,tmp->tm_min,tmp->tm_sec, msecs_since_the_epoch%1000);
helen_header_tree = proto_item_add_subtree(helen_sub_item, ett_helen);
{
#define MAX_BUFFER 100
char *buf = (char*)ep_alloc(MAX_BUFFER);
char * packet_name = "";
proto_tree *helen_sub_tree = NULL;
offset = 18;
for (;;) {
guint16 code;
guint16 numBytes = 0;
guint unknownPacket = 0;
guint codeOffset;
offset = orig_offset;
code = tvb_get_ntohs(tvb, offset);
codeOffset = offset;
offset += 2;
switch (code) {
case 0: packet_name = "End of Packet";
break;
case 1: packet_name = "GPS Extension";
break;
case 2: packet_name = "Flow Extension";
break;
case 3: packet_name = "Host Extension";
break;
default: packet_name = "Unknown code";
unknownPacket = 1;
break;
}
/*not used*/
//proto_tree_add_item(tree, hf_helen_code, tvb, offset, 2, FALSE);
g_snprintf(buf, MAX_BUFFER, "%s", packet_name);
if (unknownPacket) {
g_snprintf(buf, MAX_BUFFER, "Unknown packet: %d", code);
}
helen_item = proto_tree_add_text(tree, tvb, codeOffset, 2, "%s", buf);
helen_sub_tree = proto_item_add_subtree(helen_item, ett_helen);
if (code == 0) {
break;
}
numBytes = tvb_get_ntohs(tvb, offset);
offset += 2;
/* GPS: */
if (code == 1) {
guint8 fieldsAvail;
fieldsAvail = tvb_get_guint8(tvb, offset);
offset += 1;
/* Status: */
if ((fieldsAvail & 1) != 0) {
proto_tree_add_item(helen_sub_tree, hf_helen_gpsstatus ,tvb , offset, 1, FALSE);
offset += 1;
}
/* Time: */
if ((fieldsAvail & 2) != 0) {
nstime_t t;
guint64 msecs_since_the_epoch;
struct tm *tmp;
msecs_since_the_epoch = tvb_get_ntoh64(tvb, offset);
t.secs = msecs_since_the_epoch/1000;
t.nsecs = (msecs_since_the_epoch%1000)*1000000; /* milliseconds to nanoseconds */
tmp = gmtime(&t.secs);
proto_tree_add_time_format(helen_sub_tree, hf_helen_time, tvb, offset, 8, &t,
"Date: %s %2d, %d %02d:%02d:%02d UTC",mon_names[tmp->tm_mon],tmp->tm_mday,
tmp->tm_year + 1900,tmp->tm_hour,tmp->tm_min,tmp->tm_sec);
offset += 8;
}
/* Longitude: */
if ((fieldsAvail & 4) != 0) {
proto_tree_add_item(helen_sub_tree, hf_helen_longitude, tvb, offset, 4, FALSE);
offset += 4;
}
/* Latitude: */
if ((fieldsAvail & 8) != 0) {
proto_tree_add_item(helen_sub_tree, hf_helen_latitude, tvb, offset, 4, FALSE);
offset += 4;
}
/* Altitude: */
if ((fieldsAvail & 16) != 0) {
proto_tree_add_item(helen_sub_tree, hf_helen_altitude, tvb, offset, 4, FALSE);
offset += 4;
}
/* Bearing: */
if ((fieldsAvail & 32) != 0) {
proto_tree_add_item(helen_sub_tree, hf_helen_bearing, tvb, offset, 4, FALSE);
offset += 4;
}
/* Speed: */
if ((fieldsAvail & 64) != 0) {
gfloat speed;
speed = tvb_get_ntohieee_float(tvb,offset);;
if (speed != 0.0) {
proto_tree_add_item(helen_sub_tree, hf_helen_speed, tvb, offset, 4, FALSE);
}
offset += 4;
}
/* Number of Satellites: */
if ((fieldsAvail & 128) != 0) {
proto_tree_add_item(helen_sub_tree, hf_helen_nos, tvb, offset, 1, FALSE);
offset += 1;
}
}
/* FLOW: */
if (code == 2) {
proto_tree_add_item(helen_sub_tree, hf_helen_flowname, tvb, offset, 8, FALSE);
offset += 8;
/* Sequence number: */
proto_tree_add_item(helen_sub_tree, hf_helen_sequence_num, tvb, offset, 4, FALSE);
offset += 4;
if (numBytes == 16) {
/* Source: */
proto_tree_add_item(helen_sub_tree, hf_helen_source, tvb, offset, 4, FALSE);
offset += 4;
}
}
/* HOST: */
if (code == 3) {
/* Size: */
guint8 size;
size = tvb_get_guint8(tvb, offset);
offset += 1;
if (size == 4) {
proto_tree_add_item(helen_sub_tree, hf_helen_ipv4, tvb, offset, 4, FALSE);
offset += 4;
} else
{
proto_tree_add_item(helen_sub_tree, hf_helen_ipv6, tvb, offset, 16, FALSE);
offset += 16;
}
}
orig_offset += numBytes + 4;
}
}
}
}
void proto_reg_handoff_helen(void) {
static gboolean initialized = FALSE;
if (!initialized) {
helen_handle = create_dissector_handle(dissect_helen, proto_helen);
dissector_add("udp.port", helen_port, helen_handle);
}
initialized = TRUE;
}
void proto_register_helen(void) {
static hf_register_info hf[] = {
{ &hf_helen,
{ "Data", "helen.data", FT_NONE, BASE_NONE, NULL, 0x0,
"HELEN PDU", HFILL}},
{ &hf_helen_magic,
{ "Magic Number", "helen.magicNumber", FT_UINT8, BASE_HEX, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_checksum,
{ "Checksum", "helen.checksum", FT_UINT64, BASE_DEC, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_txTime,
{ "System Tx Time", "helen.SystemTxTime", FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_time,
{ "Time", "helen.time", FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_ipv4,
{ "IPv4", "helen.ipv4address", FT_IPv4, BASE_NONE, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_ipv6,
{ "IPv6", "helen.ipv6address", FT_IPv6, BASE_NONE, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_sequence_num,
{ "Sequence Number", "helen.sequenceNumber", FT_UINT32, BASE_DEC, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_source,
{ "Source", "helen.source", FT_UINT32, BASE_DEC, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_nos,
{ "Number of Satellites", "helen.numberOfSatellites", FT_UINT8, BASE_DEC, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_flowname,
{ "Flowname", "helen.flowname", FT_STRING, BASE_NONE, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_gpsstatus,
{ "GPS Status", "helen.gpsStatus", FT_UINT8, BASE_DEC, VALS(helen_gps_status), 0x0,
NULL, HFILL}},
/*not used*/
{ &hf_helen_code,
{ "Packet COde", "helen.packetCode", FT_UINT8, BASE_DEC, VALS(helen_code), 0x0,
NULL, HFILL}},
/**/
{ &hf_helen_longitude,
{ "Longitude", "helen.longitude", FT_FLOAT, BASE_DEC, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_latitude,
{ "Latitude", "helen.latitude", FT_FLOAT, BASE_DEC, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_altitude,
{ "Altitude", "helen.altitude", FT_FLOAT, BASE_DEC, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_bearing,
{ "Bearing", "helen.bearing", FT_FLOAT, BASE_DEC, NULL, 0x0,
NULL, HFILL}},
{ &hf_helen_speed,
{ "Speed", "helen.speed", FT_FLOAT, BASE_DEC, NULL, 0x0,
NULL, HFILL}},
};
static gint * ett[] = {&ett_helen};
proto_helen = proto_register_protocol("HELEN", "HELEN", "helen");
proto_register_field_array(proto_helen, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
register_dissector("helen", dissect_helen, proto_helen);
}
- Follow-Ups:
- Re: [Wireshark-dev] Packet Size limited during capture message
- From: Maynard, Chris
- Re: [Wireshark-dev] Packet Size limited during capture message
- From: Jakub Zawadzki
- Re: [Wireshark-dev] Packet Size limited during capture message
- References:
- [Wireshark-dev] Packet Size limited during capture message
- From: Brian Oleksa
- Re: [Wireshark-dev] Packet Size limited during capture message
- From: Guy Harris
- Re: [Wireshark-dev] Packet Size limited during capture message
- From: Brian Oleksa
- Re: [Wireshark-dev] Packet Size limited during capture message
- From: Guy Harris
- Re: [Wireshark-dev] Packet Size limited during capture message
- From: Brian Oleksa
- Re: [Wireshark-dev] Packet Size limited during capture message
- From: Bill Meier
- Re: [Wireshark-dev] Packet Size limited during capture message
- From: Brian Oleksa
- Re: [Wireshark-dev] Packet Size limited during capture message
- From: Bill Meier
- Re: [Wireshark-dev] Packet Size limited during capture message
- From: Brian Oleksa
- Re: [Wireshark-dev] Packet Size limited during capture message
- From: Bill Meier
- [Wireshark-dev] Packet Size limited during capture message
- Prev by Date: Re: [Wireshark-dev] Capture Sanitisation
- Next by Date: Re: [Wireshark-dev] plugin
- Previous by thread: Re: [Wireshark-dev] Packet Size limited during capture message
- Next by thread: Re: [Wireshark-dev] Packet Size limited during capture message
- Index(es):