https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3010
--- Comment #2 from Joel Studtmann <joel.studtmann@xxxxxxxxxx> 2008-10-29 12:03:56 PDT ---
All:
I recreated this dissector error with the simplest Gog example I could come up
with: tying the DNS requests with the HTTP Gets/responses.
Using the following configuration (without a Gog), everything works fine: PDUs
are identified, and GoPs are identified. I can identify all traffic to
www.cisco.com with a display filter of: (mate.http.host == "www.cisco.com" ||
mate.dns.host == "www.cisco.com")
----------------
Pdu dns_pkt Proto dns Transport ip {
Extract addr From ip.addr;
Extract type From dns.flags.response;
Extract dnsid From dns.id;
Extract host From dns.qry.name;
};
Gop dns On dns_pkt Match (addr, addr, dnsid) {
Start (type = 0);
Stop (type = 1);
Extra (host);
};
Pdu http_pkt Proto http Transport tcp/ip {
Extract addr From ip.addr;
Extract port From tcp.port;
Extract host From http.host;
Extract method From http.request.method;
Extract uri From http.request.uri;
Extract resp From http.response.code;
};
Gop http On http_pkt Match (addr, addr, port, port) {
Start (method="GET");
Stop (resp {200|302});
Extra (host);
};
Done;
-----------------
However, if I add a simple Gog to tie the two together for me:
Gog gogtest {
Member http (host);
Member dns (host);
};
------------------
I get the dissector error above.
The attached capture creates the failure. It was taken with a straight capture
off my work computer, although I filtered this version with the MATE display
filter of:
(mate.http.host == "www.cisco.com" || mate.dns.host == "www.cisco.com")
It should go without saying, but I provided a filtered version for standard
network security issues: MATE isn't matching on HSRP/OSPF/STP/ARP/work chatter
anyway.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
