Wireshark-dev: Re: [Wireshark-dev] Wireshark or protocol bug? (HTTP MIME multipart)

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Mon, 25 Oct 2010 15:30:21 +0200

Hi,

I see no problem here. It loads fine in Wireshark 1.4.1.

What I do see, and which is a bug in Wireshark, is that it doesn't treat it as multipart/mixed, as stated in RFC 2046, Section 5.1.3:

   Any "multipart" subtypes that an implementation does not recognize
must be treated as being of subtype "mixed".

Thanks,
Jaap

On Sun, 24 Oct 2010 12:08:18 +0200, Kaul <mykaul@xxxxxxxxx> wrote:

I'm trying to add dissection of Kerberos encrypted HTTP sessions.
Mostly, it's OK (got the headers parsed correctly, would file a BZ for this patch soon).
However, when I'm trying to work with the body, which is a MIME multipart, it fails with exception.
The reason seems to be that it does not have the double CRLF which is expected between headers and body of a MIME (?):
imf_find_field_end() seems to fail to find additional CRLF - before the binary data (which is actually a Kerberos blob) appears.

Attached please find a small capture showing the problem - not sure who's fault it is - or if it's fixable somehow in Wireshark.
See packet 8 (dissect as HTTP please).

Regards,
Y.