Hi Danny,
So I had a look at this issue which is easily reproducible.
See my answer below.
On 11/12/2017 07:43 PM, [email protected] wrote:
Hi,
I've figured it out, it has been a feature of the dissector code.
Perhaps it might be useful for someone developing her own SPOA.
Kind regards,
Danny
*Gesendet:* Donnerstag, 09. November 2017 um 16:07 Uhr
*Von:* "Frederic Lecaille" <[email protected]>
*An:* [email protected], [email protected]
*Betreff:* Re: [RFC] Wireshark dissector for SPOP
On 11/05/2017 09:27 AM, [email protected] wrote:
> Hi all,
Hi,
> I've implemented a very basic wireshark (https://www.wireshark.org)
> dissector for SPOP. I've stumbled over the following issue, that I
> couldn't figure out, yet.
> ACTION-ARGS should be multiple TYPED-DATA items, but the data sent by
> contrib/spoa_sample does not add type information:
> 73335 14123.613537866 127.0.0.1 127.0.0.1 SPOP 89 ACK
> STREAM-ID:35969 FRAME-ID:1[Malformed Packet]
> 0000 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 ..............E.
> 0010 00 4b 70 77 40 00 40 06 cc 33 7f 00 00 01 7f 00 .Kpw@[email protected]......
> 0020 00 01 30 39 cd 4c e8 1d cd f2 05 90 45 92 80 18 ..09.L......E...
> 0030 01 5e fe 3f 00 00 01 01 08 0a 01 46 c7 f3 01 46 .^.?.......F...F
> 0040 c7 f3 67 01 00 00 00 f2 99 01 01 01 03 01 08 69 ..g............i
> 0050 70 5f 73 63 6f 72 65 03 47 p_score.G
"Malformed Packet"s are announced by wireshark when parsing ACK SPOP frames.
According to 3.4 paragraph of SPOP documentation, such frames are made
of actions, with 3 arguments here when using ACTION-SET-VAR action only:
ACTION-SET-VAR : <SET-VAR:1 byte><NB-ARGS:1 byte><VAR-SCOPE:1
byte><VAR-NAME><VAR-VALUE>
The hexadecimal dump of this action here is:
01 03 01 08 69 70 5f 73 63 6f 72 65 03 47
which must be decomposed as follows:
01 -> SET-VAR
03 -> NB-ARGS
01 -> VAR-SCOPE (1st argument)
08 69 70 5f 73 63 6f 72 65 -> VAR-NAME (2nd argument)
03 47 -> VAR-VALUE (3rd argument)
Here VAR-NAME is a STRING field made of an encoded length -> 0x08
followed by the non null terminated string -> 69 70 5f 73 63 6f 72 65
(ip_score).
*But* note that these arguments are not 3 TYPED-DATA fields.
Only the last one VAR-VALUE argument is typed, so prefixed by a unique
byte for the type (0x03 here -> UINT32).
So dissect_action_args() should not be made of a loop like this:
for (i=0; i<nbargs; i++)
length += dissect_typed_data(tvb, tree, offset + length);
At this time, your dissector considers VAR-SCOPE argument as a BOOL
field (false) and VAR-NAME as a 0x69 bytes long STRING field (with 0x08
as TYPED-DATA field ID).
I hope this will help to finalize your dissector which could be added to
"contrib/wireshark-dissectors/spop" directory.
Regards.
Fred.
