Wireshark-bugs: [Wireshark-bugs] [Bug 2195] ssl decoding stops after TLSV1 package "Ignored Unkn
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2195
pimps@xxxxxx changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pimps@xxxxxx
------- Comment #3 from pimps@xxxxxx 2008-01-18 21:12 GMT -------
Packet No. 2475 of the trace has two SSL PDUs. It is not successfully decoded >
The second PDU is marked malformed.
The second one is larger than the TCP Packet and is continued in Packet No.
2477.
packet-ssl does not check this case. Only at the first PDU it checks the size
of the PDU. For some reason pinfo->can_desegment is 0 after processing the
first SSL PDU. It is not detected that additional data is needed to decode the
PDU.
I dont know if it is a good way to deal with this packets but it solves the
problem with your trace.
Modify the check in packet-ssl.c if the available size fits the size of a PDU
and leave a message if it does not and ask for additional data.
In Line 1318 of packet-ssl.c (wireshark release 0.99.7)
remove: && pinfo->can_desegment
in the if statement.
add:
----------------------------------------------------------------------
if (check_col(pinfo->cinfo, COL_INFO))
col_append_str(pinfo->cinfo, COL_INFO, "[SSL
segment of a reassembled PDU]");
return offset;
----------------------------------------------------------------------------
if you want to have a info.
Perhaps someone can check why the pinfo->can_desegment changes within dissecing
the TCP Packet 2475 in the trace. Is somewhere something like a
save_can_desegment missing?
It look like only tcp but not ssl pdu desegmentation is working with this trace
if more than one ssl pdu is part of a TCP packet.
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.