ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 2465] New: LDAP Message ID parsing error

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Tue, 15 Apr 2008 02:17:53 -0700 (PDT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2465

           Summary: LDAP Message ID parsing error
           Product: Wireshark
           Version: 1.0.0
          Platform: PC
        OS/Version: Windows 2000
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: chrisb@xxxxxxxxxxxxxxx


Created an attachment (id=1694)
 --> (http://bugs.wireshark.org/bugzilla/attachment.cgi?id=1694)
capture showing LDAP transactions (note: dc modified)

Build Information:
Compiled with GTK+ 2.12.8, with GLib 2.14.6, with WinPcap (version unknown),
with libz 1.2.3, without POSIX capabilities, with libpcre 7.0, with SMI 0.4.5,
with ADNS, with Lua 5.1, with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT
Kerberos, with PortAudio V19-devel, with AirPcap.

Running on Windows 2000 Service Pack 4, build 2195, with WinPcap version 4.0.2
(packet.dll version 4.0.0.1040), based on libpcap version 0.9.5, without
AirPcap.

Built using Microsoft Visual C++ 6.0 build 8804
--
Hi,

It seems there
may be a bug with the parsing of the message ID from the LDAP message. The
examples below use the attached pcap file.

Correct request and results are below...
Frames 13,14,15
Frames 33,34,35

Bug occurred with...
Frames 18,22,29

ie... in frame 18, the TLV for message ID is (0x02 02 cd 4a). I should think
this means the message ID is of length 2 bytes, and the message ID is 0xcd4a. I
would expect Wireshark to interpret the searchRequest and messageID value as
0xcd4a or 52554. The searchRequest is currently showing -12982, and the
messageID is showing 4294954314 (0xFFFF CD4A).

It seems the frames with the bug are not having the messageID interpreted
correctly as a 2 byte message ID, but
prepending the 2 byte message ID with FF FF. Ie for frame 18, instead of the
message id
being 0xCD4A it is shown as 0xFFFFCD4A in Wireshark.

btw... I've changed the dc value to zzzzzzz in the LDAP request to remove the
company name. For this reason
the TCP checksums have failed. Also, the LDAP queries in this capture are on
ports 2389 (not
389).

Thanks,
Chris


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube