Re: Reassembly of IP fragments gets confused by multiple packets on different VLANS

[Anders Broman <anders.broman () ericsson com>]

Hi,
Trying to summarize…

captured on the "all" interface of a Linux machine acting as a router, or merged two captures from networks on 
different sides of a router.

various sorts of tunneling (or "other sorts of tunneling", if you view VLANs as a form of tunneling)

The right generalization might be to have some sort of "network tag" which incorporates a network interface ID plus all 
VLAN tags for the packet ("all VLAN tags" to handle QinQ).


So if we go for network tag, or key should that be created by
Outer VLAN tag, Hash of Source MAC, protocol-level, interface index(Pcap-ng)?

Outer VLAN tag should take care of, VLAN and QinQ, right?
Source MAC should take care of, “duplicate caused by mirroring” and alike(?)
Pinfo- curr_layer_num Should take care of tunneling(?)
Interface index should take care of ANY interface traces(?)

What size should the key be, is 32bits enough?

Starting by using outer VLAN ID in the IP dissector should take care of part of the problem at least.

Best regards
Anders





From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Michael Mann
Sent: den 20 januari 2016 16:29
To: wireshark-dev () wireshark org
Subject: Re: [Wireshark-dev] Reassembly of IP fragments gets confused by multiple packets on different VLANS

See bug 4561 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4561)



-----Original Message-----
From: Anders Broman <anders.broman () ericsson com<mailto:anders.broman () ericsson com>>
To: wireshark-dev <wireshark-dev () wireshark org<mailto:wireshark-dev () wireshark org>>
Sent: Wed, Jan 20, 2016 10:13 am
Subject: [Wireshark-dev] Reassembly of IP fragments gets confused by multiple packets on different VLANS
Hi,
I just came across a problem where reassembly of IP fragments failed/messed up, see 
https://code.wireshark.org/review/#/c/13452/
The problem was fixed by changing line 2409 in packet-ip.c to
                                   iph->ip_p ^ iph->ip_id ^ src32 ^ dst32 ^ pinfo->vlan_id,
e.g throw vlan_id into the mix as well.

A better fix might be to change the addresses_reassembly_table_functions functions ( reassembly.c line 152) to include
VLAN Id as well, Opinions?

I think similar problems may exist in the TCP dissector too e.g TCP messages on different VLANS seen as duplicates 
possibly messing up
TCP analysis and reassembly. Perhaps conversations should take VLAN into account too.
Best regards
Anders
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <<a href='mailto:wireshark-dev () wireshark org'>wireshark-dev () wireshark 
org<mailto:wireshark-dev () wireshark org>>
Archives:    <a href="https: wireshark-dev? target="_blank" 
listswww.wireshark.org="">https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: <a href="https: wireshark-dev? target="_blank" 
optionsmailmanwireshark.org="">https://wireshark.org/mailman/options/wireshark-dev
             <a href='mailto:wireshark-dev-request () wireshark org?subject=unsubscribe'>mailto:wireshark-dev-request 
() wireshark org?subject=unsubscribe</a<mailto:wireshark-dev-request () wireshark org?subject=unsubscribe%3c/a> 
href='mailto:wireshark-dev-request () wireshark org?subject=unsubscribe'></a href="https:></a 
href='mailto:wireshark-dev () wireshark org'>

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe