Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 12490] New: Incorrect decode of 1394 dissection as part of 1722 dissection

Wireshark-bugs: [Wireshark-bugs] [Bug 12490] New: Incorrect decode of 1394 dissection as part of

Date: Thu, 02 Jun 2016 08:29:48 +0000

Bug ID	12490
Summary	Incorrect decode of 1394 dissection as part of 1722 dissection
Product	Wireshark
Version	2.0.0
Hardware	x86
OS	Mac OS X 10.11
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	[email protected]
Reporter	[email protected]

Created attachment 14612 [details]
1722 capture

Build Information:
Version 2.0.0 (v2.0.0-0-g9a73b82 from master-2.0)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
libz 1.2.5, with GLib 2.36.0, with SMI 0.4.8, without c-ares, without ADNS,
with
Lua 5.2, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP,
with QtMultimedia, without AirPcap.

Running on Mac OS X 10.11.5, build 15F34 (Darwin 15.5.0), with locale C, with
libpcap version 1.5.3 - Apple version 54, with libz 1.2.5, with GnuTLS 2.12.19,
with Gcrypt 1.5.0.
Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz (with SSE4.2)

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
decode of 1394 is incorrect if the Format Tag is 0x00.

The standard states that Format Tag 0x00 indicates no CIP header.  

Tag: 
00 = No CIP header included 
01 = CIP header included as specified in 6.1.3
10 = Reserved
11 = Reserved

Wireshark decodes the next data bytes as a CIP header.  It also seems to ignore
the 1394 header CRC and decodes that as part of the non existent CIP header.

pcap file attached is a capture from a BroadR Reach camera sending data using
IEEE1722.

http://grouper.ieee.org/groups/1722/

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 12490] Incorrect decode of 1394 dissection as part of 1722 dissection
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12490] Incorrect decode of 1394 dissection as part of 1722 dissection
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12490] Incorrect decode of 1394 dissection as part of 1722 dissection
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12490] Incorrect decode of 1394 dissection as part of 1722 dissection
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12490] Incorrect decode of 1394 dissection as part of 1722 dissection
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12490] Incorrect decode of 1394 dissection as part of 1722 dissection
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 12486] Buildbot crash output: fuzz-2016-05-31-27877.pcap
Next by Date: [Wireshark-bugs] [Bug 12486] Buildbot crash output: fuzz-2016-05-31-27877.pcap
Previous by thread: [Wireshark-bugs] [Bug 12453] decode BACnet security NPDUs
Next by thread: [Wireshark-bugs] [Bug 12490] Incorrect decode of 1394 dissection as part of 1722 dissection
Index(es):
- Date
- Thread