Wireshark-dev: Re: [Wireshark-dev] q on catching error in sub-dissectors.

From: João Valverde <joao.valverde@xxxxxxxxxxxxxxxxxx>
Date: Tue, 21 Jan 2020 16:06:13 +0000


On 21/01/20 16:01, Jeff Morriss wrote:
We've been having fun with multiple PDUs in a single IP frame with SCTP for years.  While there's room for improvement it's worked pretty well.

Maybe I didn't explain well, but that's completely different to multiple IP packets encapsulated in a single frame. L4 multiplexing is nothing new, I agree.



On Tue, Jan 21, 2020 at 9:58 AM João Valverde <joao.valverde@xxxxxxxxxxxxxxxxxx> wrote:
By the way usually a tunnel encapsulates a single packet. I'm not aware
of any other protocol multiplexing at the IP level. I would assume
Wireshark requires some replumbing to handle that. Something like TFS
being treated as a framing layer. Just food for thought.

On 21/01/20 14:46, João Valverde wrote:
>
>
> On 21/01/20 14:33, Christian Hopps wrote:
>> So I've got a payload of packets in a single frame. I'm calling
>> dissector_try_uint_new() to dissect each payload (typically IPv4
>> packets). Some of these packets are considered "malformed" by
>> wireshark (e.g., created by scapy/trex with some bogus values).
>>
>> The problem I'm hitting is that the first malformed inner packet
>> fails all the way out of my parent dissector, so it doesn't dissect
>> any of the other packets in the payload.
>>
>> Another problem I'm having is that the IP sub-dissector is
>> overwriting my source and destination addresses in the pinfo/tree
>> (not sure which doesn't really matter).
>>
>> Summary:
>>
>> - How can I "catch" errors in a subdissector so I can call other
>> sub-dissectors?
>
> Use TRY/CATCH (in epan/exceptions.h).
>
>> - How can I "block" sub-dissectors from overwriting my outer header
>> information?
>
> I don't think you can. Maybe your IPTFS dissector can set it after the
> sub-dissectors run.
>
>>
>> Thanks,
>> Chris.
>> ___________________________________________________________________________
>>
>> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>> Archives:    https://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> ___________________________________________________________________________
>
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe