Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Ethernet dissector

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: John Thacker <johnthacker@xxxxxxxxx>
Date: Sun, 23 May 2021 08:55:15 -0400
On Sun, May 23, 2021 at 8:06 AM Antonello Tartamo <antonellotartamo@xxxxxxxxx> wrote:
Hello everyone,
I'm trying to create an ethernet dissector for a custom protocol working on L2.
 
In proto_reg_handoff_myproto() function I've called:
heur_dissector_add("eth", dissect_myproto, "MyProtocol", "mp", proto_mp, HEURISTIC_ENABLE);
eth_handle = find_dissector("eth_withoutfcs");

then in the dissect_myproto function when I call:
tvbuff_t* next_tvb = tvb_new_subset_remaining(tvb, 0);
int new_off = call_dissector(eth_handle, tvb, pinfo, tree);
return new_off;

I get the following two errors on the terminal:
** (wireshark:11483): WARNING **: 07:31:59.826: Dissector bug, protocol Ethernet, in packet 12: /home/osboxes/Devel/wireshark/epan/packet.c:2794: failed assertion "saved_layers_len < 500"

** (wireshark:11483): WARNING **: 07:31:59.826: Dissector bug, protocol Ethernet, in packet 12: /home/osboxes/Devel/wireshark/epan/packet.c:775: failed assertion "saved_layers_len < 500"

I'm running the development wireshark with ./run/wireshark.

I think the error is due to the fact the both the heuristic dissector and the "find_dissector" are ethernet based.
Is there another way to reuse the ethernet dissector and avoid manually adding to the tree the src/dst mac addresses and the ethertype ?

The error is that the number of layers in the packet is too large (and that variable is only 8 bit.) While it's possible to run into that assertion legitimately with some protocols that have a disgusting amount of PDUs and encapsulation, you have an infinite loop.
eth_handle calls dissect_eth_common, which calls dissector_try_heuristic which eventually calls your dissect_myproto.
But dissect_myproto hands the tvb back unchanged to the Ethernet dissector, which will call dissect_myproto, ad infinitum.

Is dissect_myproto being called in any other way? If not, then there's no reason to call eth_handle there after you've registered it as a heuristic dissector with Ethernet. It doesn't call the Ethernet dissector; it's called by it. (It's also fine if it's being called by dissector_add_uint("ethertype", ETHERTYPE_MYPROTO, myproto_handle) or dissector_add_for_decode_as[_with_preference]("ethertype", myproto_handle) as well.)

If it's being called by something else (whether a custom DLT or whatever), then whatever else is calling it shouldn't call the same function as being registered in the heuristic dissector. It should call a different function.

John Thacker
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube