Wireshark · Wireshark-dev: [Wireshark-dev] Packet not reaching dissector

Wireshark-dev: [Wireshark-dev] Packet not reaching dissector

From: "Craig Bumpstead" <cbumpste@xxxxxxxxxxxx>

Date: Sat, 8 May 2010 20:28:25 +1000

Hi,

I've noticed that Frame 2 with the bad header checksum reaches my dissector
but Frame 3 with a LEN=0 doesn't actually reach my dissector (Stepping
though the code with VS 2008). Is this normal for WireShark??

Note: I have censored the IP's and MAC addresses.

Frame 2 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Jul  2, 2009 15:32:55.778125000
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 2
    Frame Length: 60 bytes
    Capture Length: 60 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp:data]
Ethernet II, Src: Wistron_11:11:11 (00:0a:e4:11:11:11), Dst: Cisco_22:22:22
(00:1e:7a:22:22:22)
    Destination: Cisco_22:22:22 (00:1e:7a:22:22:22)
        Address: Cisco_22:22:22 (00:1e:7a:22:22:22)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
    Source: Wistron_11:11:11 (00:0a:e4:11:11:11)
        Address: Wistron_11:11:11 (00:0a:e4:11:11:11)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 10.1.21.16 (10.1.21.16), Dst: 10.1.1.12 (10.1.1.12)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 46
    Identification: 0x5ced (23789)
    Flags: 0x02 (Don't Fragment)
        0.. = Reserved bit: Not Set
        .1. = Don't fragment: Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 [incorrect, should be 0x1bb3]
        [Good: False]
        [Bad : True]
            [Expert Info (Error/Checksum): Bad checksum]
                [Message: Bad checksum]
                [Severity level: Error]
                [Group: Checksum]
    Source: 10.1.21.16 (10.1.21.16)
    Destination: 10.1.1.12 (10.1.1.12)
Transmission Control Protocol, Src Port: 21016 (21016), Dst Port: 4435
(4435), Seq: 1, Ack: 7, Len: 6
    Source port: 21016 (21016)
    Destination port: 4435 (4435)
    [Stream index: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 7    (relative sequence number)]
    Acknowledgement number: 7    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgement: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 64551
    Checksum: 0x824a [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 1]
        [Number of bytes in flight: 6]
MYPROTO Protocol
    MYPROTO PDU Type: Unknown (0x80)
Data (6 bytes)

0000  80 00 20 21 10 80                                 .. !..
    Data: 800020211080
    [Length: 6]



Frame 3 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Jul  2, 2009 15:32:56.106250000
    [Time delta from previous captured frame: 0.328125000 seconds]
    [Time delta from previous displayed frame: 0.328125000 seconds]
    [Time since reference or first frame: 0.328125000 seconds]
    Frame Number: 3
    Frame Length: 60 bytes
    Capture Length: 60 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
Ethernet II, Src: Cisco_22:22:22 (00:1e:7a:22:22:22), Dst: Wistron_11:11:11
(00:0a:e4:11:11:11)
    Destination: Wistron_11:11:11 (00:0a:e4:11:11:11)
        Address: Wistron_11:11:11 (00:0a:e4:11:11:11)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
    Source: Cisco_36:6d:a5 (00:1e:7a:22:22:22)
        Address: Cisco_36:6d:a5 (00:1e:7a:22:22:22)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
    Type: IP (0x0800)
    Trailer: 000000000000
Internet Protocol, Src: 10.1.1.12 (10.1.1.12), Dst: 10.1.21.16 (10.1.21.16)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0xb170 (45424)
    Flags: 0x02 (Don't Fragment)
        0.. = Reserved bit: Not Set
        .1. = Don't fragment: Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 123
    Protocol: TCP (0x06)
    Header checksum: 0xcc35 [correct]
        [Good: True]
        [Bad : False]
    Source: 10.1.1.12 (10.1.1.12)
    Destination: 10.1.21.16 (10.1.21.16)
Transmission Control Protocol, Src Port: 4435 (4435), Dst Port: 21016
(21016), Seq: 7, Ack: 7, Len: 0
    Source ////////// 4////////// 5port: 4435 (4435)
    Destination port: 21016 (21016)
    [Stream index: 0]
    Sequence number: 7    (relative sequence number)
    Acknowledgement number: 7    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
       0... .... = Congestion Window Reduced (CWR): Not set
       .0.. .... = ECN-Echo: Not set
       ..0. .... = Urgent: Not set
       ...1 .... = Acknowledgement: Set
       .... 0... = Push: Not set
       .... .0.. = Reset: Not set
       .... ..0. = Syn: Not set
       .... ...0 = Fin: Not set
   Window size: 65382
   Checksum: 0x6280 [validation disabled]
       [Good Checksum: False]
       [Bad Checksum: False]
   [SEQ/ACK analysis]
       [This is an ACK to the segment in frame: 2]
       [The RTT to ACK the segment was: 0.328125000 seconds]

Follow-Ups:
- Re: [Wireshark-dev] Packet not reaching dissector
  - From: Bill Meier

References:
- [Wireshark-dev] What type should I use for 12 byte field in my dissector??
  - From: Craig Bumpstead
- Re: [Wireshark-dev] What type should I use for 12 byte field in my dissector??
  - From: Guy Harris

Prev by Date: Re: [Wireshark-dev] [Wireshark-commits] rev 32633: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-ip.c
Next by Date: Re: [Wireshark-dev] Packet not reaching dissector
Previous by thread: Re: [Wireshark-dev] What type should I use for 12 byte field in my dissector??
Next by thread: Re: [Wireshark-dev] Packet not reaching dissector
Index(es):
- Date
- Thread