Wireshark · Ethereal-dev: [Ethereal-dev] Bug in ethereal filtering on DF (Don't Fragment) flag?

[Andy Fingerhut <jafingerhut@xxxxxxx>]

I have a pcap file (attached as two-ip-pkts.pcap) with two IP packets. 
Frame 1 has the DF (Don't Fragment) bit equal to 1.  Frame 2 has DF=0. 
This is easily confirmed with:

tethereal -r two-ip-pkts.pcap -V

Also attached is a short shell script repro.sh that I used on a Linux 
2.4.21 kernel x86 machine to produce the output shown in the attached 
file linux-2.4-repro-output.txt.  I got the same results on a Mac OS X 
10.3.8 machine running tethereal 0.10.3.

I haven't checked on other similar fragmentation flags, but if someone 
fixes this, it would be good to see if other IP header fields have 
similar bugs.

Thanks,
Andy Fingerhut

Attachment: two-ip-pkts.pcap
Description: Binary data

#! /bin/sh

TETHEREAL=~/sw/ethereal-0.10.10/tethereal
PCAPFILE=two-ip-pkts.pcap

echo "% uname -a"
uname -a
echo "% $TETHEREAL -v"
$TETHEREAL -v
echo "% $TETHEREAL -r $PCAPFILE -R 'ip.flags.df'"
$TETHEREAL -r $PCAPFILE -R 'ip.flags.df'
echo "% $TETHEREAL -r $PCAPFILE -R '!ip.flags.df'"
$TETHEREAL -r $PCAPFILE -R '!ip.flags.df'
echo "% $TETHEREAL -r $PCAPFILE -R 'ip.flags.df == 0'"
$TETHEREAL -r $PCAPFILE -R 'ip.flags.df == 0'
echo "% $TETHEREAL -r $PCAPFILE -R 'ip.flags.df == 1'"
$TETHEREAL -r $PCAPFILE -R 'ip.flags.df == 1'
echo "% $TETHEREAL -r $PCAPFILE -R '(ip.flags & 0x4000)'"
$TETHEREAL -r $PCAPFILE -R '(ip.flags & 0x4000)'
echo "% $TETHEREAL -r $PCAPFILE -R 'ip.flags & 0x0400'"
$TETHEREAL -r $PCAPFILE -R 'ip.flags & 0x0400'
echo "% $TETHEREAL -r $PCAPFILE -R '!(ip.flags & 0x4000)'"
$TETHEREAL -r $PCAPFILE -R '!(ip.flags & 0x4000)'
echo "% $TETHEREAL -r $PCAPFILE -R '(ip.flags & 0x4000)==0'"
$TETHEREAL -r $PCAPFILE -R '(ip.flags & 0x4000)==0'
echo "% $TETHEREAL -r $PCAPFILE -R '(ip.flags & 0x4000)==1'"
$TETHEREAL -r $PCAPFILE -R '(ip.flags & 0x4000)==1'

% uname -a
Linux wilma.netsift.net 2.4.21-20.0.1.ELsmp #1 SMP Wed Nov 24 20:34:01 EST 2004 i686 i686 i386 GNU/Linux
% /home/afinger/sw/ethereal-0.10.10/tethereal -v
tethereal 0.10.10
Compiled with GLib 2.2.3, with libpcap 0.8.3, with libz 1.1.4, without libpcre,
without UCD-SNMP or Net-SNMP, without ADNS.
NOTE: this build doesn't support the "matches" operator for Ethereal filter
syntax.
Running with libpcap version 0.8.3 on Linux 2.4.21-20.0.1.ELsmp.
% /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R 'ip.flags.df'
  1   0.000000 66.50.230.130 -> 207.167.68.223 DCERPC Request: call_id: 1 opnum: 9 ctx_id: 0
  2   0.000025 192.168.16.101 -> 66.63.235.88 ICMP Destination unreachable (Host unreachable)
% /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R '!ip.flags.df'
% /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R 'ip.flags.df == 0'
  2   0.000025 192.168.16.101 -> 66.63.235.88 ICMP Destination unreachable (Host unreachable)
% /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R 'ip.flags.df == 1'
  1   0.000000 66.50.230.130 -> 207.167.68.223 DCERPC Request: call_id: 1 opnum: 9 ctx_id: 0
  2   0.000025 192.168.16.101 -> 66.63.235.88 ICMP Destination unreachable (Host unreachable)
% /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R '(ip.flags & 0x4000)'
% /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R 'ip.flags & 0x0400'
% /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R '!(ip.flags & 0x4000)'
  1   0.000000 66.50.230.130 -> 207.167.68.223 DCERPC Request: call_id: 1 opnum: 9 ctx_id: 0
  2   0.000025 192.168.16.101 -> 66.63.235.88 ICMP Destination unreachable (Host unreachable)
% /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R '(ip.flags & 0x4000)==0'
tethereal: Syntax error.
% /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R '(ip.flags & 0x4000)==1'
tethereal: Syntax error.