Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 11709] New: DTLS packets may be marked "Malformed Packet"

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sat, 14 Nov 2015 16:53:23 +0000
Bug ID 11709
Summary DTLS packets may be marked "Malformed Packet" after ClientHello is v1.2 but ServerHello selects v1.0
Product Wireshark
Version 1.12.8
Hardware x86-64
OS Linux (other)
Status UNCONFIRMED
Severity Minor
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected] 

Created attachment 14006 [details]
DTLS handshake from ClientHello through first ApplicationData packet

Build Information:
wireshark 1.12.8 (Git Rev Unknown from unknown)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 3.10.8, with Cairo 1.13.1, with Pango 1.36.3, with
GLib 2.40.2, with libpcap, with libz 1.2.8, without POSIX capabilities, without
libnl, without SMI, without c-ares, without ADNS, without Lua, without Python,
without GnuTLS, without Gcrypt, without Kerberos, without GeoIP, without
PortAudio, with AirPcap.

Running on Linux 4.3.0-gnu, with locale en_US.UTF-8, with libpcap version
1.5.3,
with libz 1.2.8, without AirPcap.
       Intel(R) Core(TM) i7-3517U CPU @ 1.90GHz

Built using gcc 4.8.4.

----
Built from this file:
$ sha256sum wireshark-1.12.8.tar.bz2 
357e0a4e49525d80cdc740bb16539fcdb526ad38cc2ed6cabedafc9bdee5c7e7 
wireshark-1.12.8.tar.bz2

--
Same occurred in wireshark 1.10.6-1 from the Trisquel GNU/Linux 7 repository
(via Ubuntu 14.04).

See attached conversation, especially:
Packet 2, bytes 0x0043 and 0x0044 showing ServerHello selected DLTSv1.0.
Packets 4,5 show "Malformed Packet" in the Wireshark interface.

The conversation was between a Firefox 41 WebRTC client and Jitsi Videobridge
(JVB, a Selective Forwarding Unit) 519 server. JVB uses (a patched)
BouncyCastle (BC). MAC and IP addresses have been replaced with dummies.

More on the version of BC:
$ sha1sum lib/bouncycastle.jar
5ac68efbf79977a2189f4b995679f21d37cd9427  lib/bouncycastle.jar
$ sha256sum lib/bouncycastle.jar
f5a2e4328ac64c4b96b942b79b542bc9b9a2b0e0b2b5e6039225cb2a6adec630 
lib/bouncycas\
tle.jar

Differences between JVB's BC and BC should be found here:
https://github.com/bcgit/bc-java/compare/master...gpolitis:master

You are receiving this mail because:
  • You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube