Re: [Wireshark-dev] Some items with apparently out-of-range value_string values?
Thanks John, That does seem to be the pattern, most are caused by: - a type that later got expanded, and sometimes the older field width and original subset of values are still used OR - a value that is read elsewhere and this is just the field where the value is added/displayed (not sure in this case whether the value will get sliced down to the field width) The check itself is a bit messy - I'll park this change and maybe revisit later. Martin On Mon, Feb 13, 2023 at 1:08 AM John Thacker wrote: > The bittorrent one is fine. The message type field in a packet with the > standard protocol is a single byte. There's an Azureus dialect that clients > can switch to if they both speak it, and it has some extra message types > specified with string names only. The dissector uses the message type field > with internal Wireshark only numbers for those types. > > For EAP, the MNC has a certain value, but the string to use depends on the > MCC. `proto_tree_add_uint` is used there, but probably the more complicated > `proto_tree_add_uint_format_value` call from packet-e212.c is appropriate > in order have just the MNC for the value. > > John Thacker > > On Sun, Feb 12, 2023, 6:14 PM Martin Mathieson via Wireshark-dev < > wireshark-dev@wireshark.org> wrote: > >> Hi, >> >> I have added another check to CHECK_HF_FILTER in proto.c (extra checks >> that only get done in the 'CLANG + Code checks' pipeline build) to check >> for values in an item's value_string that could not be represented in the >> item's type (e.g. a value of > 255 for FT_UINT8). I can eventually look >> into all of them, but if anyone recognises a filter below from a protocol >> they know well and could check it, that would be great. >> >> I understand the RoHC case, but haven't looked into many others. One >> thing that made this check tricky was dealing with -ve numbers in the macro >> where this check is done, but hopefully few/none of these cases here are >> just because of -ve numbers cast to an unsigned type. >> >> Thanks, >> Martin >> >> >> ** (tshark:122026) 22:58:47.725497 [Epan WARNING] epan/proto.c:8499 -- >> tmp_fld_check_assert(): FT_UINT8, "Message Type" filter bittorrent.msg.type >> value of 260 cannot be represented >> >> ** (tshark:122026) 22:58:47.824725 [Epan WARNING] epan/proto.c:8499 -- >> tmp_fld_check_assert(): FT_UINT8, "Tag" filter cbor.type.tag value of 22098 >> cannot be represented >> >> ** (tshark:122026) 22:58:47.825338 [Epan WARNING] epan/proto.c:8495 -- >> tmp_fld_check_assert(): FT_UINT8, "Class" filter cip.class value of 272 >> cannot be represented >> >> ** (tshark:122026) 22:58:48.432044 [Epan WARNING] epan/proto.c:8495 -- >> tmp_fld_check_assert(): FT_UINT8, "Class" filter devicenet.class value of >> 272 cannot be represented >> >> ** (tshark:122026) 22:58:48.432137 [Epan WARNING] epan/proto.c:8499 -- >> tmp_fld_check_assert(): FT_UINT8, "Type" filter >> dhcp.vendor.pktc.mta_cap_type value of 12609 cannot be represented >> >> ** (tshark:122026) 22:58:48.441871 [Epan WARNING] epan/proto.c:8495 -- >> tmp_fld_check_assert(): FT_UINT16, "Identity Mobile Network Code" filter >> eap.identity.mnc value of 99101 cannot be represented >> >> ** (tshark:122026) 22:58:48.442037 [Epan WARNING] epan/proto.c:8495 -- >> tmp_fld_check_assert(): FT_UINT16, "Identity Mobile Network Code" filter >> eap.identity.mnc value of 99 cannot be represented >> >> ** (tshark:122026) 22:58:48.443270 [Epan WARNING] epan/proto.c:8495 -- >> tmp_fld_check_assert(): FT_UINT8, "SDO Transfer Abort" filter >> epl.asnd.sdo.cmd.abort.code value of 134217763 cannot be represented >> >> ** (tshark:122026) 22:58:48.449709 [Epan WARNING] epan/proto.c:8499 -- >> tmp_fld_check_assert(): FT_UINT8, "Radio Resources Management Message Type" >> filter gmr1.rr.msg_type value of 318 cannot be represented >> >> ** (tshark:122026) 22:58:48.452640 [Epan WARNING] epan/proto.c:8499 -- >> tmp_fld_check_assert(): FT_UINT8, "Error" filter h450.error value of 2002 >> cannot be represented >> >> ** (tshark:122026) 22:58:48.457042 [Epan WARNING] epan/proto.c:8499 -- >> tmp_fld_check_assert(): FT_UINT8, "error code" filter jdwp.errorcode value >> of 511 cannot be represented >> >> ** (tshark:122026) 22:58:48.459379 [Epan WARNING] epan/proto.c:8499 -- >> tmp_fld_check_assert(): FT_UINT8, "Network Address family" filter >> lldp.network_address.subtype value of 16396 cannot be represented >> >> ** (tshark:122026) 22:58:48.459399 [Epan WARNING] epan/proto.c:8499 -- >> tmp_fld_check_assert(): FT_UINT8, "Address Subtype" filter >> lldp.mgn.address.subtype value of 16396 cannot be represented >> >> ** (tshark:122026) 22:58:48.467792 [Epan WARNING] epan/proto.c:8499 -- >> tmp_fld_check_assert(): FT_UINT8, "R. Trigger" filter mip6.bri_r.trigger >> value of 296 cannot be represented >> >> ** (tshark:122026) 22:58:48.477608 [Epan WARNING] epan/proto.c:8495 -- >> tmp_fld_check_assert(): FT_UINT8, "Charset" filter mysql.charset value of >> 308 cannot be represented
Re: [Wireshark-dev] Some items with apparently out-of-range value_string values?
The bittorrent one is fine. The message type field in a packet with the standard protocol is a single byte. There's an Azureus dialect that clients can switch to if they both speak it, and it has some extra message types specified with string names only. The dissector uses the message type field with internal Wireshark only numbers for those types. For EAP, the MNC has a certain value, but the string to use depends on the MCC. `proto_tree_add_uint` is used there, but probably the more complicated `proto_tree_add_uint_format_value` call from packet-e212.c is appropriate in order have just the MNC for the value. John Thacker On Sun, Feb 12, 2023, 6:14 PM Martin Mathieson via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > Hi, > > I have added another check to CHECK_HF_FILTER in proto.c (extra checks > that only get done in the 'CLANG + Code checks' pipeline build) to check > for values in an item's value_string that could not be represented in the > item's type (e.g. a value of > 255 for FT_UINT8). I can eventually look > into all of them, but if anyone recognises a filter below from a protocol > they know well and could check it, that would be great. > > I understand the RoHC case, but haven't looked into many others. One > thing that made this check tricky was dealing with -ve numbers in the macro > where this check is done, but hopefully few/none of these cases here are > just because of -ve numbers cast to an unsigned type. > > Thanks, > Martin > > > ** (tshark:122026) 22:58:47.725497 [Epan WARNING] epan/proto.c:8499 -- > tmp_fld_check_assert(): FT_UINT8, "Message Type" filter bittorrent.msg.type > value of 260 cannot be represented > > ** (tshark:122026) 22:58:47.824725 [Epan WARNING] epan/proto.c:8499 -- > tmp_fld_check_assert(): FT_UINT8, "Tag" filter cbor.type.tag value of 22098 > cannot be represented > > ** (tshark:122026) 22:58:47.825338 [Epan WARNING] epan/proto.c:8495 -- > tmp_fld_check_assert(): FT_UINT8, "Class" filter cip.class value of 272 > cannot be represented > > ** (tshark:122026) 22:58:48.432044 [Epan WARNING] epan/proto.c:8495 -- > tmp_fld_check_assert(): FT_UINT8, "Class" filter devicenet.class value of > 272 cannot be represented > > ** (tshark:122026) 22:58:48.432137 [Epan WARNING] epan/proto.c:8499 -- > tmp_fld_check_assert(): FT_UINT8, "Type" filter > dhcp.vendor.pktc.mta_cap_type value of 12609 cannot be represented > > ** (tshark:122026) 22:58:48.441871 [Epan WARNING] epan/proto.c:8495 -- > tmp_fld_check_assert(): FT_UINT16, "Identity Mobile Network Code" filter > eap.identity.mnc value of 99101 cannot be represented > > ** (tshark:122026) 22:58:48.442037 [Epan WARNING] epan/proto.c:8495 -- > tmp_fld_check_assert(): FT_UINT16, "Identity Mobile Network Code" filter > eap.identity.mnc value of 99 cannot be represented > > ** (tshark:122026) 22:58:48.443270 [Epan WARNING] epan/proto.c:8495 -- > tmp_fld_check_assert(): FT_UINT8, "SDO Transfer Abort" filter > epl.asnd.sdo.cmd.abort.code value of 134217763 cannot be represented > > ** (tshark:122026) 22:58:48.449709 [Epan WARNING] epan/proto.c:8499 -- > tmp_fld_check_assert(): FT_UINT8, "Radio Resources Management Message Type" > filter gmr1.rr.msg_type value of 318 cannot be represented > > ** (tshark:122026) 22:58:48.452640 [Epan WARNING] epan/proto.c:8499 -- > tmp_fld_check_assert(): FT_UINT8, "Error" filter h450.error value of 2002 > cannot be represented > > ** (tshark:122026) 22:58:48.457042 [Epan WARNING] epan/proto.c:8499 -- > tmp_fld_check_assert(): FT_UINT8, "error code" filter jdwp.errorcode value > of 511 cannot be represented > > ** (tshark:122026) 22:58:48.459379 [Epan WARNING] epan/proto.c:8499 -- > tmp_fld_check_assert(): FT_UINT8, "Network Address family" filter > lldp.network_address.subtype value of 16396 cannot be represented > > ** (tshark:122026) 22:58:48.459399 [Epan WARNING] epan/proto.c:8499 -- > tmp_fld_check_assert(): FT_UINT8, "Address Subtype" filter > lldp.mgn.address.subtype value of 16396 cannot be represented > > ** (tshark:122026) 22:58:48.467792 [Epan WARNING] epan/proto.c:8499 -- > tmp_fld_check_assert(): FT_UINT8, "R. Trigger" filter mip6.bri_r.trigger > value of 296 cannot be represented > > ** (tshark:122026) 22:58:48.477608 [Epan WARNING] epan/proto.c:8495 -- > tmp_fld_check_assert(): FT_UINT8, "Charset" filter mysql.charset value of > 308 cannot be represented > > ** (tshark:122026) 22:58:48.477719 [Epan WARNING] epan/proto.c:8495 -- > tmp_fld_check_assert(): FT_UINT8, "Charset" filter mariadb.charset value of > 1248 cannot be represented > > ** (tshark:122026) 22:58:48.477750 [Epan WARNING] epan/proto.c:8495 -- > tmp_fld_check_assert(): FT_UINT8, "Server Language" filter > mysql.server_language value of 308 cannot be represented > > ** (tshark:122026) 22:58:48.477807 [Epan WARNING] epan/proto.c:8495 -- > tmp_fld_check_assert(): FT_UINT8, "Server Language" filter > mariadb.server_language value of 1248 cannot be represented > > ** (tshark:122026)
