Graham Bloice
changed
bug 10287
| What |
Removed |
Added |
| Status |
UNCONFIRMED
|
CONFIRMED
|
| CC |
|
[email protected]
|
| Ever confirmed |
|
1
|
Comment # 1
on bug 10287
from Graham Bloice
The capture shows an extremely fragmented DNP3 conversation over tcp, each
segment containing at most 3 bytes of data.
This is usually a symptom of communication over some form of terminal server
(Ethernet to Serial) where the TS hasn't been set to wait for a gap when
receiving serial data so that a complete message received before then being
transmitted over Ethernet.
The dissector fails to reassemble the DNP3 messages as it expects to receive at
least two bytes (the message start prefix 0x0564), and in the pcap only the 4
successfully decoded message have the two prefix bytes in the same segment.
I'm not certain that a reliable fix for this can be done in the dissector as I
think a call of tcp_dissect_pdus() implies that the data will be dissected by
the dissector and calling this after receiving a single byte of 0x05 might
cause the dissector to run on other data.
I suppose that if heuristic dissection is disabled, then the dissector should
just attempt to dissect any traffic handed to it, but if heuristic dissection
is on, then at least the two prefix bytes should be found.
You are receiving this mail because:
- You are watching all bug changes.
