Wireshark · Ethereal-users: Re: [Ethereal-users] Skinny Capture!

Ethereal-users: Re: [Ethereal-users] Skinny Capture!

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Joerg Mayer <jmayer@xxxxxxxxx>

Date: Sun, 4 May 2003 01:10:43 +0200

On Fri, May 02, 2003 at 10:29:21PM -0500, Sarbeswsar Mohapatra wrote:
> Greetings,
> I am new to SKINNY protocol, I have created a simple message
> "StationRegisterAckMessage" with following data,
>  
>   0: 00 00 00 10 00 00 00 00      00 81 00 00 00 00 00 00
> ................
>  16: 00 00 00 00 00 00 00 00          ........
>  
> I established a client-server connection between two machines and sent
> the above message from server and client in two different instances. Ran
> the ethereal in both the machines and captured all TCP packet. When I
> filtered SKINNY protocol it does not filter anything, where as I see the
> packet in the TCP filter. I have attached the ethereal capture for
> reference. Can anybody tell me , if I am making any mistake.
>  
> Frame 7 (78 on wire, 78 captured)
> Transmission Control Protocol, Src Port: 2000 (2000), Dst Port: 1692 (1692), Seq: 1639652186, Ack: 306716705, Len: 24
>     Checksum: 0x85ec (incorrect, should be 0x54af)

How is it that this frame and its resent (Frame 22) are the only ones that
have an incorrect TCP checksum?

> Data (24 bytes)
> 
> 0030                    00 00 00 10 00 00 00 00 00 81         ..........
> 0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00         ..............  

Yes, this looks like the stuff you wrote above. Looking at packet-skinny.c,
function: dissect_skinny (not dissect_skinny_pdu) shows:

| /* check, if this is really an SKINNY packet, they start with a length + 0 */
|
| /* get relevant header information */
| hdr_data_length = tvb_get_letohl(tvb, 0);
| hdr_reserved    = tvb_get_letohl(tvb, 4);
|
| /*  data_size       = MIN(8+hdr_data_length, tvb_length(tvb)) - 0xC; */
|
| /* hdr_data_length > 1024 is just a heuristic. Better values/checks welcome */
| if (hdr_data_length < 4 || hdr_data_length > 1024 || hdr_reserved != 0) {
|   /* Not an SKINNY packet, just happened to use the same port */
|   call_dissector(data_handle,tvb, pinfo, tree);
|   return;
| }

tvb_get_letohl means: read 4 bytes (a long) from the packet buffer and please
convert them from little endian format into whatever format our cpu uses.
Thus, on a x86 machine, 00 00 00 10 becomes a somewhat large number
(0x01000000 =~ 24 million IIRC). This value is put into the variable
hdr_data_length. Then, we check wether hdr_data_length is less than 1024 which
it sort of isn't. So we give up on dissecting this packet with packet-skinny.c
and give other heuristic dissectors a chance to dissect that packet.

  Ciao
          Jörg
--
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.

References:
- [Ethereal-users] Skinny Capture!
  - From: Sarbeswsar Mohapatra

Prev by Date: [Ethereal-users] Ethereal source code archive
Next by Date: Re: [Ethereal-users] Skinny Capture!
Previous by thread: [Ethereal-users] Skinny Capture!
Next by thread: RE: [Ethereal-users] Skinny Capture!
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$