Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] dissect_ip() and check for header length

From: Petr Sumbera <petr.sumbera@xxxxxxxxxx>
Date: Fri, 01 Oct 2010 17:02:51 +0200
I think I haven't got any response. Can I have someone to comment on this?

Thanks,

Petr

Dne 17.09.10 14:32, Petr Sumbera napsal(a):
Dne 16.09.10 19:52, Guy Harris napsal(a):
On Sep 16, 2010, at 7:12 AM, Petr Sumbera wrote:
I didn't say how big the *packet* is, I said how big the *header* is.
IPv4 has two length fields, the header length, which is what you say
is zero, and the total length. If you only know the total length, you
*CANNOT* determine the header length. What you originally said was

But the problem is that stored packets for *outgoing* traffic doesn't
contain "Header length" (it's zero as at layer where it was captured it
wasn't filled, the same case is for "Header checksum").

dissect_ip() for such packets will report just:
"Header length: %u bytes (bogus, must be at least %u)".

which was referring to the header length, not the total length.

My mistake I found wrong occurrence of "bogus" word and worked with it.
In reality I'm seeing only this:

Total length: 0 bytes (bogus, less than header length 20)

You would have to make a copy of the packet data and construct a new
tvbuff - and even that, as noted, can not and will not fix

I guess I should go this way then?

For now I did another quick hack you probably wouldn't like it:

--- wireshark-1.2.10/epan/dissectors/packet-ip.c.orig
+++ wireshark-1.2.10/epan/dissectors/packet-ip.c
@@ -1487,7 +1487,7 @@
if (ip_tso_supported && !iph->ip_len)
iph->ip_len = tvb_reported_length(tvb);

- if (iph->ip_len < hlen) {
+ if (iph->ip_len < hlen && (iph->ip_len!=0 && tvb_get_ntohs(tvb, offset
+ 10)!=0)) {
if (check_col(pinfo->cinfo, COL_INFO))
col_add_fstr(pinfo->cinfo, COL_INFO, "Bogus IP length (%u, less than
header length %u)",
iph->ip_len, hlen);
@@ -1504,7 +1504,8 @@
* obviously bogus, adjust the length of this tvbuff to include only
* the IP datagram.
*/
- set_actual_length(tvb, iph->ip_len);
+ if (iph->ip_len)
+ set_actual_length(tvb, iph->ip_len);

if (tree)
proto_tree_add_uint(ip_tree, hf_ip_len, tvb, offset + 2, 2, iph->ip_len);

Thanks for helping me with this!

Petr