Wireshark-dev: Re: [Wireshark-dev] tshark --export-objects : -2 assumed or required for two-pas

From: chuck c <bubbasnmp@xxxxxxxxx>
Date: Mon, 10 Aug 2020 23:07:44 -0500
There seems to be an extra call to dissect_dcm_tag() in Wireshark before
sop_class_uid and sop_instance_uid are needed in dcm_export_create_object().

In tshark they are null so fail the test of containing data and boilerplate values are put in.

This started with a question about number of exported objects:

Maybe cleaning things up so that the UIDs match in exports from wireshark and tshark will also fix file exports?


dcm_export_create_object(packet_info *pinfo, dcm_state_assoc_t *assoc, dcm_state_pdv_t *pdv)
--------------------------------------------------------------------------------------------
  tshark_debug("is_storage =  %d", pdv->is_storage);
  tshark_debug("packet =  %d", pinfo->num);
  tshark_debug("sop_class_uid =  %s", pdv_curr->sop_class_uid);
  tshark_debug("sop_instance_uid =  %s", pdv_curr->sop_instance_uid);

    if (pdv->is_storage &&
        pdv_curr->sop_class_uid    && strlen(pdv_curr->sop_class_uid)>0 &&
        pdv_curr->sop_instance_uid && strlen(pdv_curr->sop_instance_uid)>0) {



dissect_dcm_tag(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
--------------------------------------------------------------------------------------------
        /* -------------------------------------------------------------
           We have decoded the value. Now store those tags of interest
           -------------------------------------------------------------
        */

        /* Store SOP Class and Instance UID in first PDV of this object */
        if (grp == 0x0008 && elm == 0x0016) {
            dcm_state_pdv_get_obj_start(pdv)->sop_class_uid = wmem_strdup(wmem_file_scope(), tag_value);
  tshark_debug("dissect_dcm_tag() set sop_class_uid =  %s", dcm_state_pdv_get_obj_start(pdv)->sop_class_uid);
        }
        else if (grp == 0x0008 && elm == 0x0018) {
            dcm_state_pdv_get_obj_start(pdv)->sop_instance_uid = wmem_strdup(wmem_file_scope(), tag_value);
  tshark_debug("dissect_dcm_tag() set sop_instance_uid =  %s", dcm_state_pdv_get_obj_start(pdv)->sop_instance_uid);
        }
        else if (grp == 0x0000 && elm == 0x0100) {
            /* This is the command tag -> overwrite existing PDV description */
            pdv->desc = wmem_strdup(wmem_file_scope(), tag_value);
        }

admin1@ubuntu1:~/wireshark/build/run$ ./tshark -v

** (process:26290): WARNING **: 22:52:05.703: tshark started with 2 args

** (process:26290): WARNING **: 22:52:06.003: tshark reading settings
TShark (Wireshark) 3.2.3 (Git commit f39b50865a13)

Copyright 1998-2020 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.56.4, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua
5.2.4, with GnuTLS 3.5.18 and PKCS #11 support, with Gcrypt 1.8.1, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.30.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.10.

Running on Linux 4.15.0-112-generic, with Intel(R) Xeon(R) CPU           E5645
@ 2.40GHz (with SSE4.2), with 3944 MB of physical memory, with locale
en_US.UTF-8, with libpcap version 1.8.1, with GnuTLS 3.5.18, with Gcrypt 1.8.1,
with brotli 1.0.7, with zlib 1.2.11, binary plugins supported (0 loaded).

Built using gcc 7.5.0.
admin1@ubuntu1:~/wireshark/build/run$


admin1@ubuntu1:~/wireshark/build/run$ ./tshark -2 -r ../../*cap --export-objects dicom,. -q 2>&1 | grep -i = | more
** (process:26252): WARNING **: 22:50:50.454: tshark: do_dissection = FALSE
** (process:26252): WARNING **: 22:50:50.456: tshark: perform_two_pass_analysis, do_dissection=TRUE
** (process:26252): WARNING **: 22:50:50.456: tshark: create_proto_tree = FALSE
** (process:26252): WARNING **: 22:50:50.468: is_storage =  0
** (process:26252): WARNING **: 22:50:50.468: packet =  585
** (process:26252): WARNING **: 22:50:50.468: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.468: sop_instance_uid =  (null)
** (process:26252): WARNING **: 22:50:50.468: is_storage =  0
** (process:26252): WARNING **: 22:50:50.468: packet =  588
** (process:26252): WARNING **: 22:50:50.468: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.468: sop_instance_uid =  (null)
** (process:26252): WARNING **: 22:50:50.470: is_storage =  0
** (process:26252): WARNING **: 22:50:50.470: packet =  649
** (process:26252): WARNING **: 22:50:50.470: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.470: sop_instance_uid =  (null)
** (process:26252): WARNING **: 22:50:50.519: is_storage =  1
** (process:26252): WARNING **: 22:50:50.519: packet =  2804
** (process:26252): WARNING **: 22:50:50.519: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.519: sop_instance_uid =  (null)
** (process:26252): WARNING **: 22:50:50.521: is_storage =  0
** (process:26252): WARNING **: 22:50:50.521: packet =  2808
** (process:26252): WARNING **: 22:50:50.521: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.521: sop_instance_uid =  (null)
** (process:26252): WARNING **: 22:50:50.521: is_storage =  0
** (process:26252): WARNING **: 22:50:50.521: packet =  2810
** (process:26252): WARNING **: 22:50:50.521: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.521: sop_instance_uid =  (null)
** (process:26252): WARNING **: 22:50:50.521: is_storage =  0
** (process:26252): WARNING **: 22:50:50.521: packet =  2815
** (process:26252): WARNING **: 22:50:50.521: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.521: sop_instance_uid =  (null)
** (process:26252): WARNING **: 22:50:50.533: tshark: create_proto_tree = TRUE
** (process:26252): WARNING **: 22:50:50.579: is_storage =  0
** (process:26252): WARNING **: 22:50:50.579: packet =  585
** (process:26252): WARNING **: 22:50:50.579: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.579: sop_instance_uid =  (null)
** (process:26252): WARNING **: 22:50:50.580: is_storage =  0
** (process:26252): WARNING **: 22:50:50.580: packet =  588
** (process:26252): WARNING **: 22:50:50.580: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.580: sop_instance_uid =  (null)
** (process:26252): WARNING **: 22:50:50.585: is_storage =  0
** (process:26252): WARNING **: 22:50:50.585: packet =  649
** (process:26252): WARNING **: 22:50:50.585: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.585: sop_instance_uid =  (null)
** (process:26252): WARNING **: 22:50:50.746: is_storage =  1
** (process:26252): WARNING **: 22:50:50.746: packet =  2804
** (process:26252): WARNING **: 22:50:50.746: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.746: sop_instance_uid =  (null)
** (process:26252): WARNING **: 22:50:50.747: dissect_dcm_tag() set sop_class_uid =  1.2.840.10008.5.1.4.1.1.7 (Secondary Capture Image Stora
ge)
** (process:26252): WARNING **: 22:50:50.747: dissect_dcm_tag() set sop_instance_uid =  1.2.276.0.7230010.3.1.4.341615093.12584.1428680298.84
5
** (process:26252): WARNING **: 22:50:50.748: is_storage =  0
** (process:26252): WARNING **: 22:50:50.748: packet =  2808
** (process:26252): WARNING **: 22:50:50.748: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.748: sop_instance_uid =  (null)
** (process:26252): WARNING **: 22:50:50.749: is_storage =  0
** (process:26252): WARNING **: 22:50:50.749: packet =  2810
** (process:26252): WARNING **: 22:50:50.749: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.749: sop_instance_uid =  (null)
** (process:26252): WARNING **: 22:50:50.749: is_storage =  0
** (process:26252): WARNING **: 22:50:50.749: packet =  2815
** (process:26252): WARNING **: 22:50:50.749: sop_class_uid =  (null)
** (process:26252): WARNING **: 22:50:50.749: sop_instance_uid =  (null)
admin1@ubuntu1:~/wireshark/build/run$


admin1@ubuntu1:~/wireshark/build/run$ ./wireshark -v
Wireshark 3.2.3 (Git commit f39b50865a13)

Copyright 1998-2020 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.9.5, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with GLib 2.56.4, with zlib 1.2.11, with SMI 0.4.8, with c-ares
1.14.0, with Lua 5.2.4, with GnuTLS 3.5.18 and PKCS #11 support, with Gcrypt
1.8.1, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.30.0, with
brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.10, with
QtMultimedia, without automatic updates, with SpeexDSP (using system library),
with SBC, with SpanDSP, without bcg729.

Running on Linux 4.15.0-112-generic, with Intel(R) Xeon(R) CPU           E5645
@ 2.40GHz (with SSE4.2), with 3944 MB of physical memory, with locale
en_US.UTF-8, with libpcap version 1.8.1, with GnuTLS 3.5.18, with Gcrypt 1.8.1,
with brotli 1.0.7, with zlib 1.2.11, binary plugins supported (0 loaded).

Built using gcc 7.5.0.
admin1@ubuntu1:~/wireshark/build/run$ ./wireshark
22:53:10.495          Warn dissect_dcm_tag() set sop_class_uid =  1.2.840.10008.5.1.4.1.1.7 (Secondary Capture Image Storage)
22:53:10.495          Warn dissect_dcm_tag() set sop_instance_uid =  1.2.276.0.7230010.3.1.4.341615093.12584.1428680298.845
22:53:15.992          Warn is_storage =  0
22:53:15.992          Warn packet =  585
22:53:15.992          Warn sop_class_uid =  (null)
22:53:15.992          Warn sop_instance_uid =  (null)
22:53:15.992          Warn is_storage =  0
22:53:15.992          Warn packet =  588
22:53:15.992          Warn sop_class_uid =  (null)
22:53:15.992          Warn sop_instance_uid =  (null)
22:53:15.994          Warn is_storage =  0
22:53:15.994          Warn packet =  649
22:53:15.994          Warn sop_class_uid =  (null)
22:53:15.994          Warn sop_instance_uid =  (null)
22:53:16.043          Warn is_storage =  1
22:53:16.043          Warn packet =  2804
22:53:16.043          Warn sop_class_uid =  1.2.840.10008.5.1.4.1.1.7 (Secondary Capture Image Storage)
22:53:16.043          Warn sop_instance_uid =  1.2.276.0.7230010.3.1.4.341615093.12584.1428680298.845
22:53:16.045          Warn is_storage =  0
22:53:16.045          Warn packet =  2808
22:53:16.045          Warn sop_class_uid =  (null)
22:53:16.045          Warn sop_instance_uid =  (null)
22:53:16.045          Warn is_storage =  0
22:53:16.045          Warn packet =  2810
22:53:16.045          Warn sop_class_uid =  (null)
22:53:16.045          Warn sop_instance_uid =  (null)
22:53:16.045          Warn is_storage =  0
22:53:16.045          Warn packet =  2815
22:53:16.045          Warn sop_class_uid =  (null)
22:53:16.045          Warn sop_instance_uid =  (null)
22:53:16.111          Warn is_storage =  1
22:53:16.111          Warn packet =  2804
22:53:16.111          Warn sop_class_uid =  1.2.840.10008.5.1.4.1.1.7 (Secondary Capture Image Storage)
22:53:16.111          Warn sop_instance_uid =  1.2.276.0.7230010.3.1.4.341615093.12584.1428680298.845
22:53:16.113          Warn dissect_dcm_tag() set sop_class_uid =  1.2.840.10008.5.1.4.1.1.7 (Secondary Capture Image Storage)
22:53:16.113          Warn dissect_dcm_tag() set sop_instance_uid =  1.2.276.0.7230010.3.1.4.341615093.12584.1428680298.845
Gtk-Message: 22:53:25.655: GtkDialog mapped without a transient parent. This is discouraged.
admin1@ubuntu1:~/wireshark/build/run$


On Mon, Aug 10, 2020 at 10:03 PM chuck c <bubbasnmp@xxxxxxxxx> wrote:
I think I muddied that waters asking about two-pass and export objects.

The tshark export (with or without -2) works in versions 2.6 and 3.0.
Something changed in 3.2 such that wireshark produces a good file and the tshark export doesn't match.

Pretty much in over my head as to whether to look in tshark.c, packet-dcm.c or somewhere else.
Was hoping to narrow things down before moving this to Bugzilla.

On Mon, Aug 10, 2020 at 9:30 PM Guy Harris <gharris@xxxxxxxxx> wrote:
On Aug 10, 2020, at 6:00 PM, John Thacker <johnthacker@xxxxxxxxx> wrote:

> On Mon, Aug 10, 2020 at 5:32 PM chuck c <bubbasnmp@xxxxxxxxx> wrote:
>> tshark --export-objects dicom is behaving differently than exporting Dicom objects in Wireshark.
>>
>> Is the "-2" option assumed to be set, observed if set or not used at all for exporting objects with tshark?
>
> Having implemented Export Objects on a different custom TFTP-like protocol, I experienced the same thing.
>
> With tshark, -2 is observed if set, and that can result in different behavior. Generally more accurate information is obtained with two passes, which is equivalent to Wireshark behavior.

Generally, at least for packet dissection, the only thing you get if you defer displaying packets until after the first pass is that you get to see not only "this frame is dissected as a response to the packet dissected for frame N" but also "this frame is dissected as a packet the response to which is in frame M".  There may be exceptions, but it's best to keep them to a minimum.

> There are certain protocols where single pass analysis just isn't sufficient to determine all the data, and dissectors where some state object is set, like packet-dcm.c, are a common case.

If M < N, most protocols do not require data from packet N (at that protocol layer) in order to process packet M; that even applies to implementations that maintain state.  The same applies to dissection; when dissecting a packet, all state established by previous packets is available.

What are some examples where you need information from *later* packets to:

        dissect a packet completely;

        start constructing a file object?
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe