Wireshark · Wireshark-dev: [Wireshark-dev] AMQP-Parser only recognizes 1-byte-encoded performative values

Wireshark-dev: [Wireshark-dev] AMQP-Parser only recognizes 1-byte-encoded performative values

From: Lothar Kimmeringer <job@xxxxxxxxxxxxxx>

Date: Wed, 3 Jul 2024 15:59:32 +0200

Hi,

(tested, using Wireshark 4.2.5 (v4.2.5-0-g4aa814ac25a1))

there are AMQP-systems out there sending AMQP-headers encoding the
single-byte performative-value as multiple bytes (I can provide
a ptrace-file if needed):

0000
0010
0020
0030
0040   [...] 00 00 00 2a 02 00 00 00 00 80 00 00 00 00
                                        ^^^^^^^^^^^^^^
0050   00 00 00 11 c0 16 05 40 70 00 00 00 01 70 00 00
       ^^^^^^^^^^^
0060   00 32 70 00 00 00 32 70 7f ff ff ff

In this particular case "begin" (0x11) is transferred using
subcategory 0x8 (eight octets) and the value 0x11 preceded
by seven 0x00. Usually you see the use of subcategory 0x5
(single octet) and 0x11 without any preceding zeroes. Both
ways are allowed by the specification but the AMQP-parser
in Wireshark seems to ignore the subcategory information and
instead assumes the performative-value always to be a single
byte. This leads to error-messages in the description:

Advanced Message Queuing Protocol
    Length: 42
    Doff: 2
    Type: AMQP (0)
    Channel: 0
    Performative: Unknown (0)
        [Expert Info (Error/Protocol): Unknown AMQP performative 0]
            [Unknown AMQP performative 0]
            [Severity level: Error]
            [Group: Protocol]


Thanks and cheers, Lothar

Prev by Date: Re: [Wireshark-dev] exported_pdu 3GPP Cell identity, question on PLMN encoding
Next by Date: [Wireshark-dev] Wireshark 4.2.6 is now available
Previous by thread: Re: [Wireshark-dev] exported_pdu 3GPP Cell identity, question on PLMN encoding
Next by thread: [Wireshark-dev] Wireshark 4.2.6 is now available
Index(es):
- Date
- Thread