Hi there,
I think, I've found a bug: the length of a TPKT header evaluated later
is swapped by tvb_get_ntohs() (Wireshark 0.99.6
/epan/dissectors/packet-tpkt.c:193). It only works for us if we re-swap
it with g_htons() just after fetching it from the tvb:
packet-tpkt.c:193: data_len = g_htons(tvb_get_ntohs(tvb, offset + 2));
This makes Wireshark display the value correctly and split several TPKT
packet inside one TCP packet. Other way around the length isn't
displayed correctly (much too high) and further TPKT packets inside a
TCP packet are ignored.
Please have a look at my generated diff-file. Am I right?
----------- zip -------------------------------------
Index: packet-tpkt.c
===================================================================
--- packet-tpkt.c (revision 20531)
+++ packet-tpkt.c (working copy)
@@ -190,8 +190,8 @@
/*
* Get the length from the TPKT header.
*/
- data_len = tvb_get_ntohs(tvb, offset + 2);
-
+ data_len = g_htons(tvb_get_ntohs(tvb, offset + 2));
+
/*
* Can we do reassembly?
*/
----------- zip -------------------------------------
Thanks a lot
Bye,
Hendrik
