Wireshark-bugs: [Wireshark-bugs] [Bug 10305] New: Tftp dissector does not track conversations co
Date: Wed, 23 Jul 2014 16:17:41 +0000
Bug ID 10305
Summary Tftp dissector does not track conversations correctly. Source file and Destination File redundant or disagree.
Classification Unclassified
Product Wireshark
Version 1.12.0
Hardware x86-64
OS Windows 7
Status UNCONFIRMED
Severity Minor
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter evanb@aviftech.com

Created attachment 12922 [details]
A capture of several TFTP exchanges. Set the TFTP port to 59 in the
preferences.

Build Information:
Version 1.12.0-rc2 (v1.12.0-rc2-0-gfd017ee from master-1.12)

Copyright 1998-2014 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.24.23, with Cairo 1.10.2, with Pango 1.34.0, with
GLib 2.38.0, with WinPcap (4_1_3), with libz 1.2.5, with SMI 0.4.8, with c-ares
1.9.1, with Lua 5.2, without Python, with GnuTLS 3.1.22, with Gcrypt 1.6.0,
with
MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jun 13 2014), with
AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 3.1.22, Gcrypt 1.6.0, without AirPcap.
        Intel(R) Core(TM) i3-2100 CPU @ 3.10GHz, with 16264MB of physical
memory.


Built using Microsoft Visual C++ 10.0 build 40219

--
The Source File and Destination File fields are sometimes redundant or
disagree.

For example, in the attached file, see packets 1, 6, 10, 28, and 29. (Make sure
you set the TFTP port to 59 in the preferences).

The source file field is supposed to contain the file name during read
requests. The destination file field is supposed to contain the file name
during write requests.

The source/destination field that is flagged as generated should only be shown
for data packets, not request packets.

My solution (you may decide to implement something else) was to replace lines
369-408 of packet-tftp.c with:

  /*
   * The first TFTP packet goes to the TFTP port; the second one
   * comes from some *other* port, but goes back to the same
   * IP address and port as the ones from which the first packet
   * came; all subsequent packets go between those two IP addresses
   * and ports.
   *
   * If this packet went to the TFTP port, we create a new conversation
   * and set the destination port to a wildcard. That way the subsequent
packets
   * can be matched to it.
   *
   * If not, we search for a conversation it matches. One might not exist if
the
   * user is explicitly dissecting a packet, so just create a new one if that's
   * the case.
   */
  if (value_is_in_range(global_tftp_port_range, pinfo->destport)) {
    conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst,
                                    PT_UDP, pinfo->srcport, 0, NO_PORT2);
    conversation_set_dissector(conversation, tftp_handle);
  } else {
    conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst,
                                     pinfo->ptype, pinfo->srcport,
                                     pinfo->destport, 0);
    if( (conversation == NULL) ||
        (conversation->dissector_handle != tftp_handle) )
    {
      conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, 
                                      PT_UDP, pinfo->destport, pinfo->srcport,
                                      0);
      conversation_set_dissector(conversation, tftp_handle);
    }
  }


You are receiving this mail because:
  • You are watching all bug changes.