Wireshark mailing list archives

Re: Wireshark or protocol bug? (HTTP MIME multipart)

From: Jaap Keuter <jaap.keuter () xs4all nl>
Date: Wed, 27 Oct 2010 08:56:22 +0200

On 10/25/2010 11:55 PM, Kaul wrote:



On Mon, Oct 25, 2010 at 3:30 PM, Jaap Keuter <jaap.keuter () xs4all nl
<mailto:jaap.keuter () xs4all nl>> wrote:

    Hi,

    I see no problem here. It loads fine in Wireshark 1.4.1.

    What I do see, and which is a bug in Wireshark, is that it doesn't
    treat it as multipart/mixed, as stated in RFC 2046, Section 5.1.3:

        Any"multipart"  subtypes that an implementation does not recognize
        must be treated as being of subtype"mixed".


Indeed (and I'll see if I can fix that), but I've actually also
specifically added multipart/encrypted to packet-multipart (and
registered gssapi in multipart_media_type table and in media_type table
so it'll recognize it specifically) - bu I still get the exception
(because of the missing CR-LF-CR-LF expected?). RFC 1847, section 2.2
seems to show an example - with double CRLF.

TIA,
Y.

    Thanks,
    Jaap

    On Sun, 24 Oct 2010 12:08:18 +0200, Kaul <mykaul () gmail com
    <mailto:mykaul () gmail com>> wrote:

    I'm trying to add dissection of Kerberos encrypted HTTP sessions.
    Mostly, it's OK (got the headers parsed correctly, would file a BZ
    for this patch soon).
    However, when I'm trying to work with the body, which is a MIME
    multipart, it fails with exception.
    The reason seems to be that it does not have the double CRLF which
    is expected between headers and body of a MIME (?):
    imf_find_field_end() seems to fail to find additional CRLF -
    before the binary data (which is actually a Kerberos blob) appears.

    Attached please find a small capture showing the problem - not
    sure who's fault it is - or if it's fixable somehow in Wireshark.
    See packet 8 (dissect as HTTP please).

    Regards,
    Y.


Hi,

I've committed the changes to handle unknown multipart subtypes as 
multipart/mixed in revision 34657. Unfortunately the protocol dissector itself 
has to be modified to make us of this feature. The HTTP dissector makes use of 
it as from revision 34658 and the SIP dissector from revision 34659. Others may 
have to follow.

With these changes your issue becomes apparent when loading your capture. Now 
all we have to do is figure out what's wrong. Should be easy...

Thanks,
Jaap
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Wireshark or protocol bug? (HTTP MIME multipart) Kaul (Oct 24)
- Re: Wireshark or protocol bug? (HTTP MIME multipart) Jaap Keuter (Oct 25)
  - Re: Wireshark or protocol bug? (HTTP MIME multipart) Kaul (Oct 25)
    - Re: Wireshark or protocol bug? (HTTP MIME multipart) Anders Broman (Oct 26)
    - Re: Wireshark or protocol bug? (HTTP MIME multipart) Kaul (Oct 26)
    - Re: Wireshark or protocol bug? (HTTP MIME multipart) Jaap Keuter (Oct 26)