Hi guys, Yes, I can reproduce this issue in the latest dev build (1.12.0-rc2). I’ve also reported a new bug in Bugzilla:
Bug 10289 - DNP3 dissector bug in multi-fragmented messages with TCP retransmissions<https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10289> Thanks, Maksym Galemin | Software Engineer Hydrix Pty Ltd “Our Expertise – Your Competitive Advantage” maksym.gale...@hydrix.com<mailto:maksym.gale...@hydrix.com> |direct +61 3 8573 5231 | mob +61 435 844 500 www.hydrix.com<http://www.hydrix.com/> | fax +61 3 8573 5289 | phone +61 3 8573 5299 From: Graham Bloice [mailto:graham.blo...@trihedral.com] Sent: Thursday, 17 July 2014 11:14 PM To: Developer support list for Wireshark Cc: Maksym Galemin Subject: [SPAM - Invalid Headers] - Re: [Wireshark-dev] DNP3 dissector bug in multi-fragmented messages - Email found in subject Happens in a "fairly" recent dev build. For more info on reporting bugs, see http://wiki.wireshark.org/ReportingBugs On 17 July 2014 13:26, Evan Huus <eapa...@gmail.com<mailto:eapa...@gmail.com>> wrote: Hi Maksym, please file bugs in our bug tracker: https://bugs.wireshark.org/bugzilla/ It would also be helpful if you could check if the bug is still present in more recent versions (such as the 1.12 release candidate). Evan On Jul 17, 2014, at 3:54, Maksym Galemin <maksym.gale...@hydrix.com<mailto:maksym.gale...@hydrix.com>> wrote: Hi all, I’d like to report a bug in DNP3 dissector for reassembled multi-fragment DNP3 packets (DNP3 over TCP). In case of TCP retransmissions the DNP3 dissector reassembles invalid DNP3 application layer message by copying the retransmitted TCP data straight into the final DNP3 packet without checking if it’s a retransmission or not. As a result the dissector parses DNP3 application layer payload incorrectly. Please find a capture file in the attachment: here in packet #18 DNP3 transport layer frame 6 (packet #6) is a retransmission of the frame 1 data (packet #1). Thanks. ---------------------------------------------------------------------------------------------------------- Version 1.10.7 (v1.10.7-0-g6b931a1 from master-1.10) … Compiled (32-bit) with GTK+ 2.24.14, with Cairo 1.10.2, with Pango 1.30.1, with GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5, without POSIX capabilities, without libnl, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Apr 22 2014), with AirPcap. Running on 32-bit Windows 7 Service Pack 1, build 7601, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), GnuTLS 2.12.18, Gcrypt 1.4.6, without AirPcap. Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz, with 2047MB of physical memory. Built using Microsoft Visual C++ 10.0 build 40219 ---------------------------------------------------------------------------------------------------------- Cheers, Maksym Galemin | Software Engineer Hydrix Pty Ltd “Our Expertise – Your Competitive Advantage” maksym.gale...@hydrix.com<mailto:maksym.gale...@hydrix.com> |direct +61 3 8573 5231 | mob +61 435 844 500 www.hydrix.com<http://www.hydrix.com/> | fax +61 3 8573 5289 | phone +61 3 8573 5299 <DNP3_dissector_issue.zip> ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org<mailto:wireshark-dev@wireshark.org>> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org<mailto:wireshark-dev@wireshark.org>> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org<mailto:wireshark-dev-requ...@wireshark.org>?subject=unsubscribe -- Graham Bloice Software Developer Trihedral UK Limited
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe