ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 6137] New: Search should ignore TCP payload encapsulated i

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 18 Jul 2011 21:15:02 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6137

           Summary: Search should ignore TCP payload encapsulated in ICMP
                    11 TTL exceeded
           Product: Wireshark
           Version: 1.4.7
          Platform: x86
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Minor
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: denis.laplante@xxxxxx


Build Information:
/Applications/Wireshark.app/Contents/Resources/bin/tshark -v
TShark 1.4.7 (SVN Rev 37483 from /trunk-1.4)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GLib 2.16.3, with libpcap 0.9.5, with libz 1.2.3,
without
POSIX capabilities, without libpcre, with SMI 0.4.8, with c-ares 1.5.3, with
Lua
5.1, without Python, with GnuTLS 2.6.2, with Gcrypt 1.4.3, with MIT Kerberos,
without GeoIP.

Running on Darwin 9.8.0 (Mac OS 10.5.8), with libpcap version 0.9.5, with libz
1.2.3.

Built using gcc 4.0.1 (Apple Inc. build 5488).
--
In my opinion the display filter "tcp.port==80" should not catch a ICMP packet
reporting time-to-live exceeded that encapsulates the original TCP packet to
port==80 .

tshark -V -r alvinw_spoof_l9_137_82_0_0.enc -R "tcp.port==80"
       [anonymized, and edited for brevity]
Frame 944: 78 bytes on wire (624 bits), 74 bytes captured (592 bits)
    [Protocols in frame: eth:vlan:ip:icmp:ip:tcp]
Ethernet II, Src:xxx, Dst: yyy
802.1Q Virtual LAN, PRI: 6, CFI: 0, ID: zzz
Internet Protocol, Src: 1.2.3.4 (1.2.3.4), Dst: 9.8.7.6 (9.8.7.6)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN:
0x00)
    Total Length: 56
    Identification: 0x0d7a (3450)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 255
    Protocol: ICMP (1)
    Header checksum: 0xb059 [correct]
    Source: 1.2.3.4 (1.2.3.4)
    Destination: 9.8.7.6 (9.8.7.6)
Internet Control Message Protocol
    Type: 11 (Time-to-live exceeded)
    Code: 0 (Time to live exceeded in transit)
    Checksum: 0x80b0 [correct]
    Internet Protocol, Src: 9.8.7.6 (9.8.7.6), Dst: 5.6.7.8 (5.6.7.8)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        Total Length: 48
        Identification: 0x8991 (35217)
        Flags: 0x00
        Fragment offset: 0
        Time to live: 1
            [Expert Info (Note/Sequence): "Time To Live" only 1]
                [Message: "Time To Live" only 1]
                [Severity level: Note]
                [Group: Sequence]
        Protocol: TCP (6)
        Header checksum: 0x5f93 [correct]
        Source: 9.8.7.6 (9.8.7.6)
        Destination: 5.6.7.8 (5.6.7.8)
    Transmission Control Protocol, Src Port: 80 (80), Dst Port: 9269 (9269)
        Source port: 80 (80)
        Destination port: 9269 (9269)
        Sequence number: 265961456

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube