Re: [Wireshark-users] bad handling of DHCP option 90?
Hi, What about the presentation of the HMAC MD5 Hash? That's got to be conditional as well. Please refer to the SVN version, your line numbers seem to indicate an older revision of the file. Thanx, Jaap On Mon, 23 Apr 2007, Stefan Puiu wrote: Stefan Puiu [EMAIL PROTECTED] writes: Hi all, I captured some DHCP traffic using DHCP AUTH (option 90 - see RFC3118) using tcpdump on a Linux device and was then trying to view it from wireshark (0.99.4) on Windows. The problem is I'm getting some warnings on the option length, and I think they are wrong. OK, I've decided to dive a bit into the code and see what's wrong. I seem to have found the offending code in epan/dissectors/proto-bootp.c. It seems that there's a general check on option 90 so that the length field is = 11, which seems right according to RFC3118. Then, wireshark expects the option length to be = 31 if HMAC-MD5 is used - trouble is, that is valid for packets of any other type besides DHCPDISCOVER. Here'an attempt at a patch - since I'm using cygwin on Windows, I can't verify it: --- packet-bootp.c.orig 2007-02-02 00:00:56.0 +0200 +++ packet-bootp.c2007-04-24 00:42:44.267830400 +0300 @@ -1172,11 +1172,20 @@ switch (algorithm) { case AUTHEN_DELAYED_ALGO_HMAC_MD5: - if (optlen 31) { + if (!strcmp(*dhcp_type_p, Discover)) { + if (optlen 11) { + proto_item_append_text(vti, + length isn't = 11); + break; + } + } + else if (optlen 31) { proto_item_append_text(vti, length isn't = 31); break; } + + proto_tree_add_text(v_tree, tvb, optoff, 4, Secret ID: 0x%08x, tvb_get_ntohl(tvb, optoff)); Basically, it uses 11 as the minimum size if the DHCP message type is DHCPDISCOVER, and 31 otherwise. Stefan. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] TCP reassembling for HTTP messages extraction
Hi, Maybe that's a dummy question but i wasn't able to figure it out from the archive... So, I have a trace of TCP messages with HTTP messages as payload... I would like to extract these HTTP messages and only to a file... The 'follow TCP stream' option seems to work only for one stream but my trace clusters many streams ... Is there a way to get all the HTTP messages from my trace ? thx ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Assembling of fragmented IP protocol packets
Hi, is there a possibility to arrange Wireshsark to assemble fragmented IP protocol packets? I trace SIP traffic and some INVITE messages are ~ 1800 bytes long. The application reassembles, why not also Wireshark? The problem is that I use a tool to process the pcap-file and produce a nice message flow, but the INVITE messages are never included. Is there some possibility to force Wireshark to assembling fragmented IP protocol packets? Cheers FRanz ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Assembling of fragmented IP protocol packets
Hi, How about Edit-preferences-Protocols-IP Reassemble Fragmented IP datagrams = True ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Franz Edler Sent: den 24 april 2007 18:47 To: wireshark-users@wireshark.org Subject: [Wireshark-users] Assembling of fragmented IP protocol packets Hi, is there a possibility to arrange Wireshsark to assemble fragmented IP protocol packets? I trace SIP traffic and some INVITE messages are ~ 1800 bytes long. The application reassembles, why not also Wireshark? The problem is that I use a tool to process the pcap-file and produce a nice message flow, but the INVITE messages are never included. Is there some possibility to force Wireshark to assembling fragmented IP protocol packets? Cheers FRanz ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Assembling of fragmented IP protocol packets
Hi, From what I can se there is no second fragment in the trace, hence no reassembly. Best regards Anders -Ursprungligt meddelande- Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För Franz Edler Skickat: den 24 april 2007 19:25 Till: 'Anders Broman (AL/EAB)'; 'Community support list for Wireshark' Ämne: Re: [Wireshark-users] Assembling of fragmented IP protocol packets How about Edit-preferences-Protocols-IP Reassemble Fragmented IP datagrams = True ? Thanks. This has an effect. If IP Reassemble Fragmented IP datagrams = false (not checked) than the packets are assembled, otherwise not. I have attached a small tracefile with some fragmented packets (e.g. packet No. 4). Cheers Franz ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Assembling of fragmented IP protocol packets
Thanks again. You are right. The packets are cut after 1500 bytes. The problem is now at Linux tcpdump which was the tool that produced the trace. Best regards Franz -Original Message- From: Anders Broman [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 24, 2007 8:13 PM To: [EMAIL PROTECTED]; 'Community support list for Wireshark' Subject: SV: [Wireshark-users] Assembling of fragmented IP protocol packets Hi, From what I can se there is no second fragment in the trace, hence no reassembly. Best regards Anders -Ursprungligt meddelande- Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För Franz Edler Skickat: den 24 april 2007 19:25 Till: 'Anders Broman (AL/EAB)'; 'Community support list for Wireshark' Ämne: Re: [Wireshark-users] Assembling of fragmented IP protocol packets How about Edit-preferences-Protocols-IP Reassemble Fragmented IP datagrams = True ? Thanks. This has an effect. If IP Reassemble Fragmented IP datagrams = false (not checked) than the packets are assembled, otherwise not. I have attached a small tracefile with some fragmented packets (e.g. packet No. 4). Cheers Franz ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Assembling of fragmented IP protocol packets
On Tue, Apr 24, 2007 at 08:21:38PM +0200, Franz Edler wrote: Thanks again. You are right. The packets are cut after 1500 bytes. The problem is now at Linux tcpdump which was the tool that produced the trace. Did you by any chance use a filter with port numbers? Since port numbers are only present in the IP-fragment that has the UDP/TCP header in it all the other fragments are not seen by the filter. If you only filter on ip-addresses you should be fine though :) Hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Assembling of fragmented IP protocol packets
Hi, Did you by any chance use a filter with port numbers? Since port numbers are only present in the IP-fragment that has the UDP/TCP header in it all the other fragments are not seen by the filter. Yes. I used a port filter. If you only filter on ip-addresses you should be fine though :) I will just try it again. Hope this helps, Cheers, This would be fine. -franz ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Assembling of fragmented IP protocol packets
Yes, If you only filter on ip-addresses you should be fine though :) It now works. Tcpdump dumps all fragments and these are correctly re-assembled by wireshark and by the tool to produce the message flow. Thanks again, all the helped so quickly. -Franz ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] TCP reassembling for HTTP messages extraction
On Tue, Apr 24, 2007 at 06:25:12PM +0200, Laurent Burgy wrote: So, I have a trace of TCP messages with HTTP messages as payload... I would like to extract these HTTP messages and only to a file... The 'follow TCP stream' option seems to work only for one stream but my trace clusters many streams ... Is there a way to get all the HTTP messages from my trace ? What do you want to do with the HTTP messages? Save all of the data from them (HTML pages, images, other downloaded files, etc.)? Or just save a stream of all of the HTTP streams together? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] TCP reassembling for HTTP messages extraction
Stephen Fisher a écrit : What do you want to do with the HTTP messages? Save all of the data from them (HTML pages, images, other downloaded files, etc.)? Or just save a stream of all of the HTTP streams together? Just save a stream of all of the HTTP streams together ... ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] bad handling of DHCP option 90?
Thanks for the reply, actually, both the secret ID and HMAC fields are not present in DHCPDISCOVER messages. I've attached a new stab at a patch against the SVN head - the previous one was against the 0.99.5 source. Stefan. On 4/24/07, Jaap Keuter [EMAIL PROTECTED] wrote: Hi, What about the presentation of the HMAC MD5 Hash? That's got to be conditional as well. Please refer to the SVN version, your line numbers seem to indicate an older revision of the file. Thanx, Jaap On Mon, 23 Apr 2007, Stefan Puiu wrote: Stefan Puiu [EMAIL PROTECTED] writes: Hi all, I captured some DHCP traffic using DHCP AUTH (option 90 - see RFC3118) using tcpdump on a Linux device and was then trying to view it from wireshark (0.99.4) on Windows. The problem is I'm getting some warnings on the option length, and I think they are wrong. OK, I've decided to dive a bit into the code and see what's wrong. I seem to have found the offending code in epan/dissectors/proto-bootp.c. It seems that there's a general check on option 90 so that the length field is = 11, which seems right according to RFC3118. Then, wireshark expects the option length to be = 31 if HMAC-MD5 is used - trouble is, that is valid for packets of any other type besides DHCPDISCOVER. Here'an attempt at a patch - since I'm using cygwin on Windows, I can't verify it: --- packet-bootp.c.orig 2007-02-02 00:00:56.0 +0200 +++ packet-bootp.c2007-04-24 00:42:44.267830400 +0300 @@ -1172,11 +1172,20 @@ switch (algorithm) { case AUTHEN_DELAYED_ALGO_HMAC_MD5: - if (optlen 31) { + if (!strcmp(*dhcp_type_p, Discover)) { + if (optlen 11) { + proto_item_append_text(vti, + length isn't = 11); + break; + } + } + else if (optlen 31) { proto_item_append_text(vti, length isn't = 31); break; } + + proto_tree_add_text(v_tree, tvb, optoff, 4, Secret ID: 0x%08x, tvb_get_ntohl(tvb, optoff)); Basically, it uses 11 as the minimum size if the DHCP message type is DHCPDISCOVER, and 31 otherwise. Stefan. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users dhcp_auth.diff Description: Binary data ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users