Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 5743] New: tshark incorrectly calculates tcp stream for so

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Tue, 8 Mar 2011 03:09:04 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5743

           Summary: tshark incorrectly calculates tcp stream for some syn
                    packets
           Product: Wireshark
           Version: 1.5.x (Experimental)
          Platform: x86-64
        OS/Version: Ubuntu
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: stefan.demharter@xxxxxxx


Created an attachment (id=6004)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=6004)
A reduced tcp dump containing just some syn and syn-ack packets to demonstrate
the problem.

Build Information:
TShark 1.5.0 (SVN Rev Unknown from unknown)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.26.1, with libpcap 1.1.1, with libz 1.2.3.4, with
POSIX capabilities (Linux), without libpcre, without SMI, without c-ares,
without ADNS, without Lua, without Python, without GnuTLS, without Gcrypt, with
MIT Kerberos, without GeoIP.

Running on Linux 2.6.35-27-generic, with libpcap version 1.1.1, with libz
1.2.3.4.

Built using gcc 4.4.5.

--
Tshark incorrectly assign a tcp-syn-packet to a previous tcp-stream if both
streams have the same source and destination.
I've tested this with the ubuntu packaged version 1.2.11, version 1.4.4 from
ppa and self-compiled version 1.5. All tested versions show the same behaviour.


The following shows a tshark command with its result to demonstrate this (Have
a look at packet 6):


tshark -n -r test.cap -e frame.number -e tcp.stream -e tcp.flags -e ip.src -e
tcp.srcport -e ip.dst -e tcp.dstport -T fields
1    0    0x02    10.1.73.43    33622    10.1.91.89    2001
2    0    0x12    10.1.91.89    2001    10.1.73.43    33622
3    1    0x02    10.1.73.43    50945    10.1.91.89    2001
4    1    0x02    10.1.73.43    50945    10.1.91.89    2001
5    1    0x12    10.1.91.89    2001    10.1.73.43    50945
6    0    0x02    10.1.73.43    33622    10.1.91.89    2001
7    2    0x12    10.1.91.89    2001    10.1.73.43    33622


Description of each packet:
1: SYN of stream 0 - ok
2: SYN-ACK of stream 0 - ok
3: SYN of stream 1 - ok
4: SYN-Retransmission of stream 1 -ok
5: SYN-ACK of stream 1 -ok
6: SYN of stream 2 - NOT OK: incorrectly identified as belonging to stream 0
(Has the same src and dst as stream 0)
7: SYN-ACK of stream 2 - ok


If you however open this file with wireshark, you can see that packet 6 has the
correct stream idx of 2. So, wireshark doesn't have problem.


Regards
Stefan

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube