Wireshark-bugs: [Wireshark-bugs] [Bug 2905] New: "ISAKMP-Attrib payload" values wrongly interpre
Date: Sat, 27 Sep 2008 11:22:07 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2905

           Summary: "ISAKMP-Attrib payload" values wrongly
                    interpreted/displayed
           Product: Wireshark
           Version: 1.0.3
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Low
         Component: Extras
        AssignedTo: [email protected]
        ReportedBy: [email protected]


Build Information:
wireshark 1.0.3

Copyright 1998-2008 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.11, with GLib 2.16.5, with libpcap 0.9.8, with libz
1.2.3, with POSIX capabilities (Linux), with libpcre 7.8, without SMI, without
ADNS, without Lua, without GnuTLS, without Gcrypt, without Kerberos, without
PortAudio, without AirPcap.

Running on Linux 2.6.26-tuxonice, with libpcap version 0.9.8.

Built using gcc 4.3.1.
--
  Sorry if this is not the right place to post this, just please tell where
should I do it if that's the case.

  Now, when decoding ISAKMP traffic WireShark doesn't decode some of the XAUTH
fields correctly as you can see here:

Internet Security Association and Key Management Protocol
    Initiator cookie: C2CE615CB2795129
    Responder cookie: 1392CB3FB96C3ADD
    Next payload: Hash (8)
    Version: 1.0
    Exchange type: Transaction (Config Mode) (6)
    Flags: 0x00
    Message ID: 0x4ff279b4
    Length: 90
    Hash payload
        Next payload: Attrib (14)
        Payload length: 24
        Hash Data
    Attrib payload
        Next payload: NONE (0)
        Payload length: 38
        Type ISAKMP_CFG_REPLY (2)
        Identifier: 0
        XAUTH_TYPE (0)
        XAUTH_USER_NAME: <too big (8 bytes)>
        XAUTH_USER_PASSWORD: <too big (10 bytes)>

where both values XAUTH_USER_NAME and XAUTH_USER_PASSWORD are strings and shown
be decoded as such. And here:

Internet Security Association and Key Management Protocol
    Initiator cookie: C2CE615CB2795129
    Responder cookie: 1392CB3FB96C3ADD
    Next payload: Hash (8)
    Version: 1.0
    Exchange type: Transaction (Config Mode) (6)
    Flags: 0x00
    Message ID: 0x2ee3dd79
    Length: 124
    Hash payload
        Next payload: Attrib (14)
        Payload length: 24
        Hash Data
    Attrib payload
        Next payload: NONE (0)
        Payload length: 72
        Type ISAKMP_CFG_SET (3)
        Identifier: 1
        XAUTH_STATUS (1)
        INTERNAL_IP4_ADDRESS (2270963452e)
        INTERNAL_IP4_DNS (2619157494e)
        INTERNAL_IP4_DNS (2619155396e)
        INTERNAL_IP4_NBNS (2325487595e)
        INTERNAL_IP4_NBNS (2325487597e)
        INTERNAL_ADDRESS_EXPIREY (86400e)
        INTERNAL_IP4_SUBNET: <too big (8 bytes)>

where all of the INTERNAL_IP4_* values should be interpreted and displayed as
IP addresses instead of numbers and for all of them (including
INTERNAL_ADDRESS_EXPIREY) I don't know what the "e" character at the end of the
values shown mean (I think it's just a bug in the interpretation/display).

Regards,
Rolando Zappacosta


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.