ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] SVN revision 35005 and heuristic dissectors

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Wed, 24 Nov 2010 21:12:46 +0100
Hi Anders,

Le 24/11/2010 17:39, Anders Broman a écrit :
Hi,
Does it work better with revision 35020 or later?
It's working fine now.

Thanks,
Pascal.

Regards
Anders

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Pascal Quantin
Sent: den 24 november 2010 09:04
To: Developer support list for Wireshark
Subject: [Wireshark-dev] SVN revision 35005 and heuristic dissectors

Hi,

since revision 35005 and the commit of the ReLOAD framing dissector the UDP heuristic dissector I use (LTE-RLC) no longer works. My RLC PDU is seen as a ReLOAD packet.

When looking at the code, the function dissect_reload_framing_heur() calls dissect_reload_framing_message() that does almost no checks:

  /* First, make sure we have enough data to do the check. */
  if (effective_length < MIN_HDR_LENGTH)
    return 0;

  /* Get the type */
  type = tvb_get_guint8(tvb, 0);

  if (type == DATA) {
    /* in the data type, check the reload token to be sure this
       is a reLoad packet */
    message_length = (tvb_get_ntohs(tvb, 1 + 4)<<8)+ tvb_get_guint8(tvb, 1 + 4 + 2);
    if (message_length < MIN_RELOADDATA_HDR_LENGTH) {
      return 0;
    }
    relo_token = tvb_get_ntohl(tvb,1 + 4 + 3);
    if (relo_token != RELOAD_TOKEN) {
      return 0;
    }
  }

The LTE-RLC heuristic dissector adds the "rlc-lte" string at the beginning of the UDP packet and unfortunately it is caught by the code above.

I'm not familiar with this protocol but I guess there is probably a way to avoid breaking other dissectors. Adding the following patch helps on my side but I'm not sure it is fully valid and it still seems weak to me:

Index: epan/dissectors/packet-reload-framing.c
===================================================================
--- epan/dissectors/packet-reload-framing.c    (revision 35018)
+++ epan/dissectors/packet-reload-framing.c    (working copy)
@@ -143,9 +143,10 @@
     if (relo_token != RELOAD_TOKEN) {
       return 0;
     }
+  } else if (type != ACK) {
+    return 0;
   }
 
-
   /* The message seems to be a valid reLOAD framing message! */
 
   col_set_str(pinfo->cinfo, COL_PROTOCOL, "RELOAD Frame");



Thanks,
Pascal.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube