> I'm using ethereal 0.8.19 on linux. Whenever I sniff a VPN connection
> between two Windows 2000 computers, every GRE packet is considered
> malformed.
No, only the ACK-only GRE packets are considered malformed; all the
packets in the capture you sent me were GRE-over-IP-over-Ethernet, and
most of them were dissected as PPP compressed packets.
The ones that weren't were ACK-only packets, with the S bit not set, and
with no payload; Ethereal tried to dissect the non-existent payload, and
complained because it wasn't there.
I've checked in a fix to make the GRE dissector check whether the S bit
is set and, if not, check whether there's a payload before trying to
dissect it (if the S bit *is* set, it presumably is supposed to have a
payload; if it's not set, it might not have a payload, or it might be
RFC 2784 GRE without the RFC 2890 extensions, rather than RFC 2784+2890
or RFC 1701 GRE, so the S bit might not be used).
Here's a patch for the change; if you have Ethereal source and built
from source, this patch should apply to "packet-gre.c" and fix the
problem.
Index: packet-gre.c
===================================================================
RCS file: /usr/local/cvsroot/ethereal/packet-gre.c,v
retrieving revision 1.44
diff -c -r1.44 packet-gre.c
*** packet-gre.c 2001/06/18 02:17:46 1.44
--- packet-gre.c 2001/10/23 19:02:45
***************
*** 7,13 ****
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@xxxxxxxxxxxx>
* Copyright 1998 Gerald Combs
- *
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
--- 7,12 ----
***************
*** 43,48 ****
--- 42,55 ----
#include "greproto.h"
#include "ipproto.h"
+ /*
+ * See RFC 1701 "Generic Routing Encapsulation (GRE)", RFC 1702
+ * "Generic Routing Encapsulation over IPv4 networks", RFC 2637
+ * "Point-to-Point Tunneling Protocol (PPTP)", RFC 2784 "Generic
+ * Routing Encapsulation (GRE)", and RFC 2890 "Key and Sequence
+ * Number Extensions to GRE".
+ */
+
static int proto_gre = -1;
static int hf_gre_proto = -1;
***************
*** 252,257 ****
--- 259,276 ----
dissect_gre_wccp2_redirect_header(tvb, offset, gre_tree);
offset += 4;
}
+ }
+
+ /* If the S bit is not set, this packet might not have a payload, so
+ check whether there's any data left, first.
+
+ XXX - the S bit isn't in RFC 2784, which deprecates that bit
+ and some other bits in RFC 1701 and says that they should be
+ zero for RFC 2784-compliant GRE; as such, the absence of the
+ S bit doesn't necessarily mean there's no payload. */
+ if (!(flags_and_ver & GH_B_S)) {
+ if (tvb_reported_length_remaining(tvb, offset) <= 0)
+ return; /* no payload */
}
next_tvb = tvb_new_subset(tvb, offset, -1, -1);
if (!dissector_try_port(gre_dissector_table, type, next_tvb, pinfo, tree))
