Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] h.223 dissector: maybe a bug, mabe a fix?

From: Still Life <still.life@xxxxxxxx>
Date: Thu, 18 Jan 2007 18:27:32 +0100
...or maybe a version mismatch between Wireshark and
the H.223 dissector?

Hi to all,
I'm trying to do a "fake" h.223 over TCP/IP traffic
between two terminals using, as sources, two raw
h.223 dump files.
The idea is to make an approximate Ethernet-TCP/IP
header and fill it's datagram payload with the
content of the two file (swapping the source and
destination IP to distinguish direction) and using
the WinPcap library to generate a Wireshark compatible dump.

One general question:
Is there another way, more correct, to put the H.223
stream into Wireshark and use the h223 dissector?
(The goal is the ability to analyze the stream within
Wireshark in the simplest way possible).

The h.223 dissector that came with Wireshark 0.99.4
(http://wiki.wireshark.org/H223)
fail to dissect this traffic.

I've done some debug work over the h.223 dissector's code
and maybe I've found a problem.
The point is this boolean flag:

dirdata->first_pdu

this flag is set to TRUE in the following function when
the dissector is called the first time over a single packet:

static h223_call_info *find_or_create_call_info ( packet_info * pinfo )
{
    [...]

    if( data == NULL )
    {
        data = se_alloc(sizeof(h223_call_info));

        [OTHER1]
        [**** code that put to FALSE dirdata->first_pdu ****]
        [OTHER2]
    }

    [...]
}

At this point the first execution of the packet dissection seems
correct, during the execution the flag is set to FALSE.
Wireshark, I don't know why, call the dissector other times
on the same packet but when this happens "data" is already
allocated so [**** code that put to FALSE dirdata->first_pdu ****]
is not executed. This lead to a
[Dissector bug, protocol H.223: proto.c:1190:
failed assertion "(guint)hfindex < gpa_hfinfo.len"]

I change the dissector code in this way:

static h223_call_info *find_or_create_call_info ( packet_info * pinfo )
{
    [...]

    if( data == NULL )
    {
        data = se_alloc(sizeof(h223_call_info));
        [OTHER1]
        [OTHER2]
    }

    [**** code that put to FALSE dirdata->first_pdu ****]

    [...]
}

But I'm not able to determine if this modification
introduce some wrong "side effects".

I put in attachment a zipped file with:
h223.dll           the modified h223 plugin dissector
h223_first_60.cap  the first 60 packet of the tcp stream
packet-h223.c      the dissector's source file modified

Please, in Wireshark uncheck this TCP option:
edit-->preference-->protocols-->TCP-->Analyze TCP sequence numbers
Open the h223_first_60.cap and use
Analyze-->decode as...-->transport label-->tcp port "both"-->h223.

Now try to put my h223.dll in the Wireshark plugins
directory (backup the original one) and re-open
h223_first_60.cap


Is there anyone who would give me any comments or suggestions?
Thanks,
               Fabio Sguanci




--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:
Vuoi stupirla con un gesto d'amore? Ricorda... un Diamante � per sempre!
* Regalale un gioiello con Diamante e punta dritto al suo cuore!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=5632&d=18-1

Attachment: h223_dissector_modified_and_dumpfile.zip
Description: Zip compressed data