Wireshark · Wireshark-dev: Re: [Wireshark-dev] Some items with apparently out-of-range value_string values?

Wireshark-dev: Re: [Wireshark-dev] Some items with apparently out-of-range value_string values?

From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>

Date: Mon, 13 Feb 2023 09:49:43 +0000

Thanks John,

That does seem to be the pattern, most are caused by:

- a type that later got expanded, and sometimes the older field width and original subset of values are still used

- a value that is read elsewhere and this is just the field where the value is added/displayed (not sure in this case whether the value will get sliced down to the field width)

The check itself is a bit messy - I'll park this change and maybe revisit later.

Martin

On Mon, Feb 13, 2023 at 1:08 AM John Thacker <johnthacker@xxxxxxxxx> wrote:

The bittorrent one is fine. The message type field in a packet with the standard protocol is a single byte. There's an Azureus dialect that clients can switch to if they both speak it, and it has some extra message types specified with string names only. The dissector uses the message type field with internal Wireshark only numbers for those types.

For EAP, the MNC has a certain value, but the string to use depends on the MCC. `proto_tree_add_uint` is used there, but probably the more complicated `proto_tree_add_uint_format_value` call from packet-e212.c is appropriate in order have just the MNC for the value.

John Thacker

On Sun, Feb 12, 2023, 6:14 PM Martin Mathieson via Wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> wrote:
Hi,

I have added another check to CHECK_HF_FILTER in proto.c (extra checks that only get done in the 'CLANG + Code checks' pipeline build) to check for values in an item's value_string that could not be represented in the item's type (e.g. a value of > 255 for FT_UINT8). I can eventually look into all of them, but if anyone recognises a filter below from a protocol they know well and could check it, that would be great.

I understand the RoHC case, but haven't looked into many others. One thing that made this check tricky was dealing with -ve numbers in the macro where this check is done, but hopefully few/none of these cases here are just because of -ve numbers cast to an unsigned type.

Thanks,
Martin

** (tshark:122026) 22:58:47.725497 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "Message Type" filter bittorrent.msg.type value of 260 cannot be represented

** (tshark:122026) 22:58:47.824725 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "Tag" filter cbor.type.tag value of 22098 cannot be represented

** (tshark:122026) 22:58:47.825338 [Epan WARNING] epan/proto.c:8495 -- tmp_fld_check_assert(): FT_UINT8, "Class" filter cip.class value of 272 cannot be represented

** (tshark:122026) 22:58:48.432044 [Epan WARNING] epan/proto.c:8495 -- tmp_fld_check_assert(): FT_UINT8, "Class" filter devicenet.class value of 272 cannot be represented

** (tshark:122026) 22:58:48.432137 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "Type" filter dhcp.vendor.pktc.mta_cap_type value of 12609 cannot be represented

** (tshark:122026) 22:58:48.441871 [Epan WARNING] epan/proto.c:8495 -- tmp_fld_check_assert(): FT_UINT16, "Identity Mobile Network Code" filter eap.identity.mnc value of 99101 cannot be represented

** (tshark:122026) 22:58:48.442037 [Epan WARNING] epan/proto.c:8495 -- tmp_fld_check_assert(): FT_UINT16, "Identity Mobile Network Code" filter eap.identity.mnc value of 999999 cannot be represented

** (tshark:122026) 22:58:48.443270 [Epan WARNING] epan/proto.c:8495 -- tmp_fld_check_assert(): FT_UINT8, "SDO Transfer Abort" filter epl.asnd.sdo.cmd.abort.code value of 134217763 cannot be represented

** (tshark:122026) 22:58:48.449709 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "Radio Resources Management Message Type" filter gmr1.rr.msg_type value of 318 cannot be represented

** (tshark:122026) 22:58:48.452640 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "Error" filter h450.error value of 2002 cannot be represented

** (tshark:122026) 22:58:48.457042 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "error code" filter jdwp.errorcode value of 511 cannot be represented

** (tshark:122026) 22:58:48.459379 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "Network Address family" filter lldp.network_address.subtype value of 16396 cannot be represented

** (tshark:122026) 22:58:48.459399 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "Address Subtype" filter lldp.mgn.address.subtype value of 16396 cannot be represented

** (tshark:122026) 22:58:48.467792 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "R. Trigger" filter mip6.bri_r.trigger value of 296 cannot be represented

** (tshark:122026) 22:58:48.477608 [Epan WARNING] epan/proto.c:8495 -- tmp_fld_check_assert(): FT_UINT8, "Charset" filter mysql.charset value of 308 cannot be represented

** (tshark:122026) 22:58:48.477719 [Epan WARNING] epan/proto.c:8495 -- tmp_fld_check_assert(): FT_UINT8, "Charset" filter mariadb.charset value of 1248 cannot be represented

** (tshark:122026) 22:58:48.477750 [Epan WARNING] epan/proto.c:8495 -- tmp_fld_check_assert(): FT_UINT8, "Server Language" filter mysql.server_language value of 308 cannot be represented

** (tshark:122026) 22:58:48.477807 [Epan WARNING] epan/proto.c:8495 -- tmp_fld_check_assert(): FT_UINT8, "Server Language" filter mariadb.server_language value of 1248 cannot be represented

** (tshark:122026) 22:58:48.483603 [Epan WARNING] epan/proto.c:8495 -- tmp_fld_check_assert(): FT_UINT16, "Attribute Type" filter nl80211.feature_flags value of 1073741824 cannot be represented

** (tshark:122026) 22:58:48.484453 [Epan WARNING] epan/proto.c:8495 -- tmp_fld_check_assert(): FT_UINT8, "id" filter ngap.id value of 360 cannot be represented

** (tshark:122026) 22:58:48.491592 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "ROHC profile" filter pdcp-lte.rohc.profile value of 263 cannot be represented

** (tshark:122026) 22:58:48.491635 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "ROHC profile" filter pdcp-nr.rohc.profile value of 259 cannot be represented

** (tshark:122026) 22:58:48.491775 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT16, "Outer Header Creation Description" filter pfcp.outer_hdr_desc value of 131072 cannot be represented

** (tshark:122026) 22:58:48.492081 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "Address Family" filter pim.addr_address_family value of 16396 cannot be represented

** (tshark:122026) 22:58:48.492158 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT16, "Share Type" filter lanman.share.type value of 2147483650 cannot be represented

** (tshark:122026) 22:58:48.494180 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "Service" filter qsig.service value of 21889 cannot be represented

** (tshark:122026) 22:58:48.494209 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "Error" filter qsig.error value of 1040 cannot be represented

** (tshark:122026) 22:58:48.494871 [Epan WARNING] epan/proto.c:8495 -- tmp_fld_check_assert(): FT_UINT8, "id" filter ranap.id value of 292 cannot be represented

** (tshark:122026) 22:58:48.497116 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "Profile" filter rohc.profile value of 263 cannot be represented

** (tshark:122026) 22:58:48.502175 [Epan WARNING] epan/proto.c:8495 -- tmp_fld_check_assert(): FT_UINT8, "id" filter s1ap.id value of 344 cannot be represented

** (tshark:122026) 22:58:48.769449 [Epan WARNING] epan/proto.c:8499 -- tmp_fld_check_assert(): FT_UINT8, "IOCTL Response" filter gryphon.cmd.ioctl_response value of 299171852 cannot be represented
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

References:
- [Wireshark-dev] Some items with apparently out-of-range value_string values?
  - From: Martin Mathieson
- Re: [Wireshark-dev] Some items with apparently out-of-range value_string values?
  - From: John Thacker

Prev by Date: Re: [Wireshark-dev] Some items with apparently out-of-range value_string values?
Previous by thread: Re: [Wireshark-dev] Some items with apparently out-of-range value_string values?
Index(es):
- Date
- Thread