Wireshark-dev: Re: [Wireshark-dev] Packet Size limited during capture message
From: Brian Oleksa <[email protected]>
Date: Thu, 25 Mar 2010 14:44:56 -0400
Chris

Thanks for the info.

I am going to take your advice and try and track down this bug first before I make a decision to change to a heuristic dissector or not.
My dissector only crashes in windows. I was able to track down what 
frame it was crashing on in windows and load up this frame
on a linux box (with my dissector in place) with no problems.

After looking at this packet.....the only thing that through me off is that it "recorded" it as a Helen packet but started with 0x293e. This is why I was lead to believe that it crashed because it did not start with 0xbead.
So there was some other traffic on my helen port that came across the 
wire that my dissector thought was a helen packet (which turned out to 
not be)..so therefore it crashed.
I will keep digging here.

Thanks,
Brian



Maynard, Chris wrote:
Brian,

What part of the document is confusing? Did you look at the code examples in the file? It shows you the 2 main functions that you need to change - the main dissector declaration with heuristics plus the handoff function. Besides the README, keep in mind that you also have plenty of other Wireshark dissectors that can serve as excellent heuristic examples. Search for "heur_dissector_add" in epan/dissectors/packet-*.c and you will find them.
If you do change to a heuristic dissector, you should make the heuristics as strong as possible.  Checking only that the 1st byte is 0xbe is pretty weak.  You should verify as much information as possible before accepting it - things like the port, the entire magic #, the length of the packet as having the minimum # of bytes to possibly be a Helen packet (i.e. 18 for header only or 20 if you require at least a tail extension), etc.

BTW, changing to a heuristic dissector (or not) will not fix the inherent problems with your dissector.  Your dissector is not crashing because the 1st byte is not 0xbe.  The crash is occurring for some other reason that you should track down and fix regardless of whether you change your dissector into a heuristic one or not.

- Chris


-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Brian Oleksa
Sent: Thursday, March 25, 2010 12:19 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Packet Size limited during capture message

Chris

Thanks for the response.

I looked at the README.heuristic documentation and I am a little confused on what I would have to change if I went this route.
It would be nice to just do this:   As all Helen packets start with 0xbead

if ( tvb_get_guint8(tvb, 0) != 0xbe )
    return (FALSE);
else
/* Assume it's your packet and do dissection */
...
return (TRUE);

But since this is the first packet I am not sure where to start at.

Thanks,
Brian







Maynard, Chris wrote:
If the magic # doesn't match, presumably because there's other traffic destined for your port which is not Helen traffic, and you want to abandon processing of the packet, then you have a couple of choices.  You can either change your dissector to a new-style dissector that returns the number of bytes processed (zero in the case of a packet you determine is NOT a Helen packet), or change your dissector to a heuristic one.  Read more about these in doc/README.developer and doc/README.heuristic.

BTW, what do you do if the Helen extension code is not 0, 1, 2, or 3?  That's one possible reason for the source of your crash in this case. I made some suggestions in a prior thread on how you might improve your dissector in this regard, but it doesn't look like you many any of those changes.  I don't know if it would have prevented the crash or not in this case, but it would have at least allowed you to correctly display any new codes that your dissector had not yet supported.  Maybe you want to take a look at that too.

- Chris


-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Brian Oleksa
Sent: Wednesday, March 24, 2010 10:00 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Packet Size limited during capture message

Guy / Bill / Chris / Jakub / Mike

So I did some more troubleshooting only to find the following:
The dissector crashes in WinXP but not on my Fedora Core 9 box. This is weird.

Using editcap... I was able to find the frame on windows to which wireshark crashed on (which was frame 17641).
I opened the same .pcap file on my FC-9 box (it did not crash)...but I went to frame 17641 only to find out that it is a Malformed Packet.

How I determine if it is a Helen packet or not....is that all helen packets start with 0xbead which is the "magic number". I have never had this problem before as I found thousands of Helen packets this way. But this malformed packet has a magic number of 0x293e  .... which then through the rest of the packet info off and crashed wireshark (on Windows).

Any thoughts..??

Do I need to make sure that the hf_helen_magic is equal to 0xBEAD.....and if not I discard this packet..??

Why did it find this packet and assume that it was a Helen Packet..?? Was it because 0x293e is equal to 0xBEAD in length so it just assumed it was a helen packet..??
Attached is the code.

Thanks for your help,
Brian

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe
CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe