ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 1503] SSLv2 record length and version shown wrong

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Tue, 3 Apr 2007 00:43:56 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1503


richardv@xxxxxxxxxxxxx changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |richardv@xxxxxxxxxxxxx




------- Comment #3 from richardv@xxxxxxxxxxxxx  2007-04-03 00:43 GMT -------
(In reply to comment #2)
> Created an attachment (id=600)
 --> (http://bugs.wireshark.org/bugzilla/attachment.cgi?id=600&action=view) [edit]
> fix-bug1503.patch
> 
> This patch "fixes" the following:
> 
> - changed hf_ssl_handshake_client_version and hf_ssl_handshake_server_version
> to hf_ssl_handshake_version. Since both were added with the field
> ssl.handshake.version, it was only possible to filter on the first one
> registered (which was hf_ssl_handshake_client_version). Now
> ssl.handshake.version shows both client and server handshake messages

That's not the way wireshark (should) work with multiple hfs with the same
name. if you filter on ssl.handshake.version, you should see packets with
either hf_ssl_handshake_client_version or hf_ssl_handshake_server_version in
them. So I'm not clear what you're changing here.

> - changed dissect_ssl2_hnd_client_hello to use hf_ssl_handshake_version instead
> of hf_ssl_record_version. SSLv2 client hello's did not display when the filter
> ssl.handshake.version == 0x0002 was used, only SSLv2 server hello's were
> displayed. Now they are both displayed

sounds good.

> - Added generated hf_ssl_record_version to SSLv2 handshake. Since the SSLv2
> does not include a record layer version field (unlike SSLv3), this field is
> generated so that all packets with a SSLv2 record layer can be filtered out.
> [this is actually what bug 1503 was all about]

sounds good.

> - changed hf_ssl2_record to hf_ssl_record. Both hf_ssl2_record and
> hf_ssl_record pointed to the field ssl.record, which resulted in only SSLv3
> packets being shown with the filter ssl.record (because hf_ssl_record was
> registered first).

I question this for the same reason as ssl.handshake.version.

Also, could you provide a sample capture which shows the affected fields?


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube