Wireshark mailing list archives

Re: dissect_ip() and check for header length

From: Petr Sumbera <Petr.Sumbera () Sun COM>
Date: Fri, 17 Sep 2010 14:32:55 +0200

Dne 16.09.10 19:52, Guy Harris napsal(a):

On Sep 16, 2010, at 7:12 AM, Petr Sumbera wrote:
I didn't say how big the *packet* is, I said how big the *header* is.  IPv4 has two length fields, the header length, 
which is what you say is zero, and the total length.  If you only know the total length, you *CANNOT* determine the 
header length.  What you originally said was

But the problem is that stored packets for *outgoing* traffic doesn't
contain "Header length" (it's zero as at layer where it was captured it
wasn't filled, the same case is for "Header checksum").

dissect_ip() for such packets will report just:
"Header length: %u bytes (bogus, must be at least %u)".


which was referring to the header length, not the total length.


My mistake I found wrong occurrence of "bogus" word and worked with it. 
In reality I'm seeing only this:

Total length: 0 bytes (bogus, less than header length 20)

You would have to make a copy of the packet data and construct a new tvbuff - and even that, as noted, can not and 
will not fix


I guess I should go this way then?

For now I did another quick hack you probably wouldn't like it:

--- wireshark-1.2.10/epan/dissectors/packet-ip.c.orig
+++ wireshark-1.2.10/epan/dissectors/packet-ip.c
@@ -1487,7 +1487,7 @@
    if (ip_tso_supported && !iph->ip_len)
           iph->ip_len = tvb_reported_length(tvb);

-  if (iph->ip_len < hlen) {
+  if (iph->ip_len < hlen && (iph->ip_len!=0 && tvb_get_ntohs(tvb, 
offset + 10)!=0)) {
      if (check_col(pinfo->cinfo, COL_INFO))
        col_add_fstr(pinfo->cinfo, COL_INFO, "Bogus IP length (%u, less 
than header length %u)",
         iph->ip_len, hlen);
@@ -1504,7 +1504,8 @@
     * obviously bogus, adjust the length of this tvbuff to include only
     * the IP datagram.
     */
-  set_actual_length(tvb, iph->ip_len);
+  if (iph->ip_len)
+    set_actual_length(tvb, iph->ip_len);

    if (tree)
         proto_tree_add_uint(ip_tree, hf_ip_len, tvb, offset + 2, 2, 
iph->ip_len);

Thanks for helping me with this!

Petr
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

dissect_ip() and check for header length Petr Sumbera (Sep 09)
- Re: dissect_ip() and check for header length Guy Harris (Sep 09)
- <Possible follow-ups>
- dissect_ip() and check for header length Petr Sumbera (Sep 16)
  - Re: dissect_ip() and check for header length Petr Sumbera (Sep 16)
    - Re: dissect_ip() and check for header length Guy Harris (Sep 16)
    - Re: dissect_ip() and check for header length Petr Sumbera (Sep 17)