Wireshark-dev: Re: [Wireshark-dev] dissect_ip() and check for header length

From: Petr Sumbera <Petr.Sumbera@xxxxxxx>
Date: Fri, 17 Sep 2010 14:32:55 +0200
Dne 16.09.10 19:52, Guy Harris napsal(a):
On Sep 16, 2010, at 7:12 AM, Petr Sumbera wrote:
I didn't say how big the *packet* is, I said how big the *header* is.  IPv4 has two length fields, the header length, which is what you say is zero, and the total length.  If you only know the total length, you *CANNOT* determine the header length.  What you originally said was

But the problem is that stored packets for *outgoing* traffic doesn't
contain "Header length" (it's zero as at layer where it was captured it
wasn't filled, the same case is for "Header checksum").

dissect_ip() for such packets will report just:
"Header length: %u bytes (bogus, must be at least %u)".

which was referring to the header length, not the total length.

My mistake I found wrong occurrence of "bogus" word and worked with it. In reality I'm seeing only this:

Total length: 0 bytes (bogus, less than header length 20)

You would have to make a copy of the packet data and construct a new tvbuff - and even that, as noted, can not and will not fix

I guess I should go this way then?

For now I did another quick hack you probably wouldn't like it:

--- wireshark-1.2.10/epan/dissectors/packet-ip.c.orig
+++ wireshark-1.2.10/epan/dissectors/packet-ip.c
@@ -1487,7 +1487,7 @@
   if (ip_tso_supported && !iph->ip_len)
          iph->ip_len = tvb_reported_length(tvb);

-  if (iph->ip_len < hlen) {
+ if (iph->ip_len < hlen && (iph->ip_len!=0 && tvb_get_ntohs(tvb, offset + 10)!=0)) {
     if (check_col(pinfo->cinfo, COL_INFO))
col_add_fstr(pinfo->cinfo, COL_INFO, "Bogus IP length (%u, less than header length %u)",
        iph->ip_len, hlen);
@@ -1504,7 +1504,8 @@
    * obviously bogus, adjust the length of this tvbuff to include only
    * the IP datagram.
    */
-  set_actual_length(tvb, iph->ip_len);
+  if (iph->ip_len)
+    set_actual_length(tvb, iph->ip_len);

   if (tree)
proto_tree_add_uint(ip_tree, hf_ip_len, tvb, offset + 2, 2, iph->ip_len);

Thanks for helping me with this!

Petr