Wireshark mailing list archives
CoAP dissector mixed-up about Accept and Content-Format?
From: Stuart Longland <stuartl () longlandclan id au>
Date: Wed, 13 Nov 2019 10:51:48 +1000
Hi all, Can someone explain what's going on here? I have a CoAP response packet that Wireshark is telling me is malformed.
0000 60 00 00 00 00 36 11 ff fd 34 fe 56 78 91 00 10 `....6.ÿý4þVx... 0010 54 62 5b 54 a7 d8 75 6f fd 9e e3 08 e1 4c b8 77 Tb[T§Øuoý.ã.áL¸w 0020 00 00 00 00 00 00 00 fd 16 33 f0 b0 00 36 33 73 .......ý.3ð°.63s 0030 48 02 b7 ea 88 e9 f5 60 ba 20 7c c9 18 35 3a 6e H.·ê.éõ`º |É.5:n 0040 7a 71 74 57 67 a1 63 10 3a 74 3d 6b 58 2d 78 4f zqtWg¡c.:t=kX-xO 0050 56 6f 69 21 3c ff 74 73 2e 63 2e 63 31 30 Voi!<ÿts.c.c10
That's the hex dump, attached is the pcap dump of it. The full summary is here:
No. Time Source Destination Protocol Length Info Payload Comment 25316 2250.908148 fd34:fe56:7891:10:5462:5b54:a7d8:756f fd9e:e308:e14c:b877::fd CoAP 94 CON, MID:47082, POST, TKN:88 e9 f5 60 ba 20 7c c9, /c?t=kX-xOVoi[Malformed Packet] Frame 25316: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) Encapsulation type: Raw IP (7) Arrival Time: Nov 13, 2019 10:36:32.155124000 AEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1573605392.155124000 seconds [Time delta from previous captured frame: 0.156517000 seconds] [Time delta from previous displayed frame: 0.156517000 seconds] [Time since reference or first frame: 2250.908148000 seconds] Frame Number: 25316 Frame Length: 94 bytes (752 bits) Capture Length: 94 bytes (752 bits) [Frame is marked: True] [Frame is ignored: False] [Protocols in frame: raw:ipv6:udp:coap:cbor] [Coloring Rule Name: UDP] [Coloring Rule String: udp] Raw packet data Internet Protocol Version 6, Src: fd34:fe56:7891:10:5462:5b54:a7d8:756f, Dst: fd9e:e308:e14c:b877::fd 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT) .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0) .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0) .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000 Payload Length: 54 Next Header: UDP (17) Hop Limit: 255 Source: fd34:fe56:7891:10:5462:5b54:a7d8:756f Destination: fd9e:e308:e14c:b877::fd User Datagram Protocol, Src Port: 5683, Dst Port: 61616 Source Port: 5683 Destination Port: 61616 Length: 54 Checksum: 0x3373 [unverified] [Checksum Status: Unverified] [Stream index: 0] Constrained Application Protocol, Confirmable, POST, MID:47082 01.. .... = Version: 1 ..00 .... = Type: Confirmable (0) .... 1000 = Token Length: 8 Code: POST (2) Message ID: 47082 Token: 88e9f560ba207cc9 Opt Name: #1: If-Match: 35 3a 6e 7a 71 74 57 67 Opt Desc: Type 1, Critical, Safe 0001 .... = Opt Delta: 1 .... 1000 = Opt Length: 8 If-Match: 353a6e7a71745767 Opt Name: #2: Uri-Path: c Opt Desc: Type 11, Critical, Unsafe 1010 .... = Opt Delta: 10 .... 0001 = Opt Length: 1 Uri-Path: c Opt Name: #3: Content-Format: text/plain; charset=utf-8 Opt Desc: Type 12, Elective, Safe 0001 .... = Opt Delta: 1 .... 0000 = Opt Length: 0 Content-type: text/plain; charset=utf-8 Opt Name: #4: Uri-Query: t=kX-xOVoi Opt Desc: Type 15, Critical, Unsafe 0011 .... = Opt Delta: 3 .... 1010 = Opt Length: 10 Uri-Query: t=kX-xOVoi Opt Name: #5: Accept: application/cbor Opt Desc: Type 17, Critical, Safe 0010 .... = Opt Delta: 2 .... 0001 = Opt Length: 1 Accept: application/cbor End of options marker: 255 [Response In: 25319] [Uri-Path: /c] Payload: Payload Content-Format: application/cbor, Length: 8 Payload Desc: application/cbor [Payload Length: 8] Concise Binary Object Representation [Malformed Packet: CBOR] [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)] [Malformed Packet (Exception occurred)] [Severity level: Error] [Group: Malformed]
It clearly knows its text/plain, specifically it's a JMESPath query. The CoAP client in this case is requesting a JMESPath query be performed on a JSON document stored server side, and that the server return the response back to it in CBOR format (hence "Accept: application/cbor"). That does not mean there is any CBOR contained anywhere in that packet. Why does WireShark try to interpret it as such? -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Attachment:
coap-badpacket.pcap
Description:
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- CoAP dissector mixed-up about Accept and Content-Format? Stuart Longland (Nov 12)
- Re: CoAP dissector mixed-up about Accept and Content-Format? Maynard, Chris via Wireshark-users (Nov 13)