Hello and thanks for answers,
IMHO the problem is comming from the fact that we have 2 redundant informations.
ethertype and IP.Version fields.
It would the same thing for IPx-over-IPx as the IP-protocol field has not the same value for IPv4 and IPv6.
We could think that the decision should not be taken on the IP-version field but it won't work for some situation. Actually, for some encapsulation (IPoUDP) the IP version is not know before inspecting IP-Version field.
I think a good solution would be to have 3 "dissect_ip()" functions :
- dissect_ip() when we don't know if the packet is IPv4 or IPv6 before inspecting IP-Version field.
- dissect_ipv4(). When we know the packet is (or should be) IPv4 (IPoE, IPoIP...). In that case IP-Version field will be checked for coherence.
- dissect_ipv6(). When we know the packet is (or should be) IPv6 (IPoE, IPoIP...). In that case IP-Version field will be checked for coherence.
I am new on this list... I don't know your processes.
Should I submit a bug report or change request somewhere?
Regards.
Vincent
> Message du 25/01/12 12:07
> De : "Michael Tuexen"
> A : "Community support list for Wireshark"
> Copie à : "Vincent CATROS"
> Objet : Re: [Wireshark-users] Strange decoding?
>
> On Jan 25, 2012, at 11:39 AM, wiresharkusers@xxxxxxxxxxxx wrote:
>
> > Hi,
> >
> > I haven't looked at the source code, but I guess Wireshark reads the IP
> > version information in the IP header (contained in the first byte of the IP header),
> > which is 6 in packet #6, and that probably overrides the ethertype.
> By looking at the code, you find in packet-ip.c, dissect_ip():
> iph->ip_v_hl = tvb_get_guint8(tvb, offset);
> if ( hi_nibble(iph->ip_v_hl) == 6) {
> call_dissector(ipv6_handle, tvb, pinfo, parent_tree);
> return;
> }
> This means if the IPv4 dissector gets called with an IPv6 packet, it is
> just decoded as an IPv6 packet. I'm not sure why we do this. Does anyone do?
>
> Best regards
> Michael
> >
> > Regards,
> > Jasper
> >
> >> Hello,
> >
> >> I have a faulty equipement sending IPv6 packets with ethertype 0x0800 (IPv4).
> >> Nevertheless Wireshark decodes it as IPv6. (check packet #6 of the joined file).
> >
> >> It seems strange to me, I thought Wireshark uses ethertype for decoding, or
> >> least selecting the disector, but it does not seems to be the case. And even
> >> if Wireshark uses an other method I would have like it to warn me.
> >
> >> Could someone explain to me why this behaviour?
> >
> >> Regards.
> >> Vincent
> >
> >> Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
> >> Je crée ma boîte mail www.laposte.net
> >
> >
> > ___________________________________________________________________________
> > Sent via: Wireshark-users mailing list
> > Archives: http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net