subject:"\[Wireshark\-bugs\] \[Bug 16396\] TCP stream not linked if ICMP includes less than 16 B of TCP"

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

2020-03-10 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16396

Rasmus Jonsson  changed:

   What|Removed |Added

   Assignee|was...@zom.bi   |bugzilla-ad...@wireshark.or
   ||g

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

2020-02-27 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16396

--- Comment #3 from Rasmus Jonsson  ---
> Some kind of an option allowing earlier
> attribution to the TCP stream does appear desirable IMHO

Possibly good news. There was such a setting right under my nose before. Edit >
Preferences > ICMP > [] Favoir ICMP Extensions 

However, it didn't change the analysis results of your capture on my end.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

2020-02-27 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16396

--- Comment #2 from VadimZakharine  ---
Hello Rasmus,

as per:

> The reason this works is that the code expects a multiple of 32 bytes, when 
> you padded you reached 32, and it was treated as the "original datagram" part.

yes, it does make sense that under normal circumstances the protocol dissector
expects the header aligned by the 16 B border (only the first 8 B were included
in ICMP). My point here is that ICMP probably deserves an exception (e. g. the
payload cannot be reassembled as the first IP fragment; cannot count as a
retransmission and/or keepalive; doesn't imply that the corresponding TCP
stream can be considered finished even if the Rst flag is set; etc.)

Looking at "Expert Info (Error/Protocol): Bogus TCP header length <...>" I'm
not so sure if user-selectable padding with 0x00 (or any other value) is the
best approach available here. Some kind of an option allowing earlier
attribution to the TCP stream does appear desirable IMHO

Thank you
Vadim

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

2020-02-26 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16396

--- Comment #1 from Rasmus Jonsson  ---
This is in fact expected behaviour. packet-icmp.c has the following comment:

/* There is a collision between RFC 1812 and draft-ietf-mpls-icmp-02.
   We don't know how to decode the 128th and following bytes of the ICMP
payload.
   According to draft-ietf-mpls-icmp-02, these bytes should be decoded as MPLS
extensions
   whereas RFC 1812 tells us to decode them as a portion of the original
packet.
   Let the user decide.
   Here the user decided to favor MPLS extensions.
   Force the IP dissector to decode only the first 128 bytes. */

https://tools.ietf.org/html/rfc1812
https://tools.ietf.org/html/draft-ietf-mpls-icmp-02

Wireshark opted for the second approach.

> * The encapsulated TCP header not padded enough (the enveloping IP packet
> length increased from the original 56 to only 63 B) so, that the dissector
> engine does not associate it with any TCP streams:

The reason this works is that the code expects a multiple of 32 bytes, when you
padded you reached 32, and it was treated as the "original datagram" part.

Perhaps the "user choice" could be moved into the Wireshark preferences?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

2020-02-26 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16396

Rasmus Jonsson  changed:

   What|Removed |Added

   Assignee|bugzilla-ad...@wireshark.or |was...@zom.bi
   |g   |
 CC||was...@zom.bi

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

2020-02-26 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16396

Rasmus Jonsson  changed:

   What|Removed |Added

 Ever confirmed|0   |1
 Status|UNCONFIRMED |CONFIRMED

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

2020-02-26 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16396

Betty DuBois  changed:

   What|Removed |Added

 CC||be...@bettydubois.com

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

2020-02-17 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16396

VadimZakharine  changed:

   What|Removed |Added

Summary|TCP stream not allocated if |TCP stream not linked if
   |ICMP includes less than 16  |ICMP includes less than 16
   |B of TCP|B of TCP

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

[Wireshark-bugs] [Bug 16396] TCP stream not linked if ICMP includes less than 16 B of TCP

8 matches

Site Navigation

Mail list logo

Footer information