Wireshark-users: Re: [Wireshark-users] Problems while decoding STUN Binding Request and Responses

From: Pedro Gonçalves <pedro.pandre@xxxxxxxxx>
Date: Fri, 20 Apr 2007 11:10:34 +0100
Graham Bloice wrote:
Pedro Gonçalves wrote:
Hi

I'm having some trouble while decoding STUN Binding Request and Responses.
Sometimes they get decoded the right way, sometimes STUN packets are
decoded as DNP 3.0, RTP or RTCP (?!).

I'm sending two captures I made so you can check for yourself:
for example, in problems_wireshark_1.pcap, odd packets are STUN Binding
Request and even packets are STUN Binding Responses.

Why are the first two packets decoded as DNP 3.0 and the rest of them
are decoded ok?


Which version of Wireshark?
The most recent, 0.99.5 for Windows XP.

The DNP decoding occurs because the messages are using port 20000 which
is the port DNP 3.0 uses.  I have strengthened the DNP heuristics
recently, including an error where UDP packets were treated as tcp
fragments.  This was committed as r20651 & r20683 around the beginning
of Feb 2007.  I don't think these were in 0.99.5.

My current version handles the file correctly.

As a workaround, disable DNP 3.0 from Analyze | Enabled Protocols ...,
or try a buildbot build.
Your workaround disabling DNP worked, but I'm still having some problems with STUN packets being decoded as RTP or RTCP. I think that has to do with the sequence of packets: in my original capture, I have:

(...)
178: SIP/SDP
179: STUN
180: RTP   (This is STUN, but decoded as RTP)
181: STUN
(...)

However, if I save the file starting in packet 179, all packets get well decoded.

Thanks anyway
Pedro