Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Packet Size limited during capture message

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Wed, 24 Mar 2010 18:07:07 -0400
If the magic # doesn't match, presumably because there's other traffic destined for your port which is not Helen traffic, and you want to abandon processing of the packet, then you have a couple of choices.  You can either change your dissector to a new-style dissector that returns the number of bytes processed (zero in the case of a packet you determine is NOT a Helen packet), or change your dissector to a heuristic one.  Read more about these in doc/README.developer and doc/README.heuristic.

BTW, what do you do if the Helen extension code is not 0, 1, 2, or 3?  That's one possible reason for the source of your crash in this case. I made some suggestions in a prior thread on how you might improve your dissector in this regard, but it doesn't look like you many any of those changes.  I don't know if it would have prevented the crash or not in this case, but it would have at least allowed you to correctly display any new codes that your dissector had not yet supported.  Maybe you want to take a look at that too.

- Chris


-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Brian Oleksa
Sent: Wednesday, March 24, 2010 10:00 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Packet Size limited during capture message

Guy / Bill / Chris / Jakub / Mike

So I did some more troubleshooting only to find the following:
The dissector crashes in WinXP but not on my Fedora Core 9 box. This is weird.

Using editcap... I was able to find the frame on windows to which wireshark crashed on (which was frame 17641).
I opened the same .pcap file on my FC-9 box (it did not crash)...but I went to frame 17641 only to find out that it is a Malformed Packet.

How I determine if it is a Helen packet or not....is that all helen packets start with 0xbead which is the "magic number". I have never had this problem before as I found thousands of Helen packets this way. But this malformed packet has a magic number of 0x293e  .... which then through the rest of the packet info off and crashed wireshark (on Windows).

Any thoughts..??

Do I need to make sure that the hf_helen_magic is equal to 0xBEAD.....and if not I discard this packet..??

Why did it find this packet and assume that it was a  Helen Packet..?? 
Was it because 0x293e is equal to 0xBEAD in length so it just assumed it was a helen packet..??

Attached is the code.

Thanks for your help,
Brian

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.