Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] [Wireshark-commits] rev 33048: /trunk/ /trunk/epan/dissector

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Tue, 08 Jun 2010 10:20:24 -0400
gal@xxxxxxxxxxxxx wrote:
http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=33048

User: gal
Date: 2010/06/02 07:43 AM

Log:
 Bug 3597 - implicit octet string that is constructed causes PRES/FTAM dissect failure
Introduced some state to remember last dissected Tag/Length so that they can be recalled if an IMPLICIT tag is encountered and stripped. This allows its to be determined if the value has a constructed value - and so can be reassembled. In this case, it is a IMPLICIT constructed OCTET STRING at the presentation layer. Many thanks to Fred Gruman for identifying - and apologies for the delay in commiting.

This breaks the ANSI TCAP dissector. It now complains "BER Error: OctetString expected but class:CONTEXT(2) primitive tag:21 was unexpected" and then the packet is marked as unreassembled.

I'm afraid I don't understand this stuff well enough to attempt a fix. Can someone take a look? A sample capture that shows the problem can be found on the SampleCaptures page:

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=ansi_tcap_over_itu_sccp_over_mtp3_over_mtp2.pcap