Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

LDAP dissector reports malformed filter in seach requests (v1.4.4)

From: john_dale () us ibm com
Date: Sat, 12 Mar 2011 14:44:35 -0500
Wireshark 1.4.4, reports malformed packet parsing filter in LDAP 
searchRequest..  Is this a bug, or something I can work around?

Specifically, I get these errors messages
  Expert Info (Error/Undecoded): Found more than 200 filter elements. 
Giving up.
  Expert Info (Error/Malformed): Malformed Packet (Exception occurred).

As an example, here is a simple LDAPMessage showing the problem:
  LDAPMessage: 
  frame[54:45] == 
30:2b:02:01:04:63:26:04:00:0a:01:00:0a:01:00:02:01:00:02:02
 
:02:58:01:01:00:87:0b:6f:62:6a:65:63:74:63:6c:61:73:73:30:05:04:03:31:2e:31
(Manual parse below.)

I'm getting this in all LDAP searchRequests. 
I don't see problems with other LDAP messages other than searchRequest

Version 1.4.4 (SVN Rev 36110 from /trunk-1.4)
Compiled (32-bit) with GTK+ 2.16.6, with GLib 2.22.4, 
with WinPcap (version unknown), with libz 1.2.3, without POSIX 
capabilities, 
without libpcre, with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, 
without Python, with GnuTLS 2.8.5, with Gcrypt 1.4.5, with MIT Kerberos, 
with GeoIP, with PortAudio V19-devel (built Mar 1 2011), with AirPcap.
Running on Windows Server 2003 Service Pack 2, build 3790, 
with WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), 
based on libpcap version 1.0 branch 1_0_rel0b (20091008), GnuTLS 2.8.5, 
Gcrypt 1.4.5, without AirPcap.

Manual parse:
30 2b # SEQUENCE
   02 01 04 # MessageID INTEGER
   63 26 # [Application 3] SEQUENCE
      04 00 # baseObject LDAPDN (OCTET STRING)
      0a 01 00 # scope ENUMERATED
      0a 01 00 # derefAliases ENUMERATED
      02 01 00 # sizeLimit INTEGER
      02 02 02 58 # timeLimit INTEGER (600)
      01 01 00 # typesOnly BOOLEAN
     The error seems to occurn in paring the "filter", 
        which has exactly one element.
      87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 
         # filter : present [7] AttributeType "objectclass"
      30 05 # attributes SEQUENCEOF
         04 03 31 2e 31 "1.1"

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: