ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 10515] New: TCAP Malformed exception on externally re-asse

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 29 Sep 2014 18:29:39 +0000
Bug ID 10515
Summary TCAP Malformed exception on externally re-assembled packet
Product Wireshark
Version 1.12.1
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Minor
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected] 

Created attachment 13103 [details]
XUDT frame that generates TCAP Malformed Packet Error

Build Information:
Version 1.12.1 (v1.12.1-0-g01b65bf from master-1.12)

Copyright 1998-2014 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.10.2, with Pango 1.34.0, with
GLib 2.38.0, with WinPcap (4_1_3), with libz 1.2.5, with SMI 0.4.8, with c-ares
1.9.1, with Lua 5.2, without Python, with GnuTLS 3.1.22, with Gcrypt 1.6.0,
without Kerberos, with GeoIP, with PortAudio V19-devel (built Sep 16 2014),
with
AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 3.1.22, Gcrypt 1.6.0, without AirPcap.
Intel(R) Core(TM) i7-4910MQ CPU @ 2.90GHz, with 32707MB of physical memory.


Built using Microsoft Visual C++ 10.0 build 40219

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
We're looking at SCTP packets that have been collected on a tool that takes all
the SCCP chunks and re-assembles them into a single SCCP chunk.

Since the max SCCP length is 255 bytes, and the messages are bigger than this,
it results in a syntactically invalid frame as the SCCP length header shows 255
bytes, but the SCCP payload is much larger than that - all the length headers
after this are valid.

When you do this with an SCCP DT1 message, it works fine - see
UDT_ReassembledFrame.pcap.

When you do this with a SCCP XUDT message, it generates a TCAP Malformed Packet
error - see XUDT_ReassembledFrame.pcap.

When I look at the XUDT_ReassembledFrame.pcap in another tool, I get
XUDT_ReassembledFrame_txtDecode.txt, which seems to suggest the packet is fine
(other than the SCCP length header).

So the assumption is Wireshark can handle the fudged SCCP Length header in
RANAP, but not in TCAP. Is it possible to make the TCAP parser more forgiving
so it can display this frame?

You are receiving this mail because:
  • You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube