Wireshark · Ethereal-dev: Re: [Ethereal-dev] v0.9.5 hangs on bad IP protocol field.

[ALEX LAM <alexl@xxxxxxxxx>]

Guy Harris wrote:

> On Tue, Jul 30, 2002 at 11:39:48AM +1000, ALEX LAM wrote:
>  
>
> > Attached is a sniffer trace that will hang 0.9.5 because the protocol
> > field in the IP header (0x47) is bad.
> >    
>
> Well, when I try running the current CVS version, it reports
>
> 	The file "/tmp/TEST4.bad.dat" is a capture for a network type
> 	that Ethereal doesn't support.
>
> and prints to the console
>
> 	Message: pcap: network type 120 unknown or unsupported
>
> That network type wasn't supported in 0.9.5, either; I have the
> description of the Aironet header, but I don't yet know what all the
> fields in it are.
>  
Sorry... 120 is a network type I hacked into ethereal 0.9.5 to support 
my frame
format. It is Aironet header, but with more proprietry stuff... To reproduce
the hanging effect with the CVS version, one will need to hexedit a good 
capture
with an invalid protocol number...

> > In fact, parts of the IP header is erronous. Everything works fine when
> > I change 0x47 from the erronous 0x2e
> > to 0x11 (UDP)
> >
> > Perhaps ethereal should stop parsing when it realises that the packet is
> > erronous.
> >    
>
> Or perhaps it should have the bugs that cause it to loop when it sees
> bad data fixed, so that if erroneous packets are captured, but fields
> *following* the erroneous field are invalid, it can, if possible, still
> dissect those fields, in case they have useful information to whoever's
> trying to debug the problem causing erroneous packets to be transmitted.
>  
Hmmm... yes, that make sense... perhaps ethereal should have the option 
for allowing
the user to decide whether parsing should or should not stop once error 
is encountered...

Alex