Wireshark mailing list archives
Re: dissect_ip() and check for header length
From: Petr Sumbera <petr.sumbera () oracle com>
Date: Fri, 01 Oct 2010 17:02:51 +0200
I think I haven't got any response. Can I have someone to comment on this? Thanks, Petr Dne 17.09.10 14:32, Petr Sumbera napsal(a):
Dne 16.09.10 19:52, Guy Harris napsal(a):On Sep 16, 2010, at 7:12 AM, Petr Sumbera wrote: I didn't say how big the *packet* is, I said how big the *header* is. IPv4 has two length fields, the header length, which is what you say is zero, and the total length. If you only know the total length, you *CANNOT* determine the header length. What you originally said wasBut the problem is that stored packets for *outgoing* traffic doesn't contain "Header length" (it's zero as at layer where it was captured it wasn't filled, the same case is for "Header checksum"). dissect_ip() for such packets will report just: "Header length: %u bytes (bogus, must be at least %u)".which was referring to the header length, not the total length.My mistake I found wrong occurrence of "bogus" word and worked with it. In reality I'm seeing only this: Total length: 0 bytes (bogus, less than header length 20)You would have to make a copy of the packet data and construct a new tvbuff - and even that, as noted, can not and will not fixI guess I should go this way then? For now I did another quick hack you probably wouldn't like it: --- wireshark-1.2.10/epan/dissectors/packet-ip.c.orig +++ wireshark-1.2.10/epan/dissectors/packet-ip.c @@ -1487,7 +1487,7 @@ if (ip_tso_supported && !iph->ip_len) iph->ip_len = tvb_reported_length(tvb); - if (iph->ip_len < hlen) { + if (iph->ip_len < hlen && (iph->ip_len!=0 && tvb_get_ntohs(tvb, offset + 10)!=0)) { if (check_col(pinfo->cinfo, COL_INFO)) col_add_fstr(pinfo->cinfo, COL_INFO, "Bogus IP length (%u, less than header length %u)", iph->ip_len, hlen); @@ -1504,7 +1504,8 @@ * obviously bogus, adjust the length of this tvbuff to include only * the IP datagram. */ - set_actual_length(tvb, iph->ip_len); + if (iph->ip_len) + set_actual_length(tvb, iph->ip_len); if (tree) proto_tree_add_uint(ip_tree, hf_ip_len, tvb, offset + 2, 2, iph->ip_len); Thanks for helping me with this! Petr
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: dissect_ip() and check for header length Petr Sumbera (Oct 01)