https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14456
Bug ID: 14456
Summary: Wrong interpretation related to the most specific
dissector regarding DNS traffic encrypted by DNScrypt.
Product: Wireshark
Version: 2.4.4
Hardware: x86-64
OS: Fedora
Status: UNCONFIRMED
Severity: Normal
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: ricky.t...@gmail.com
Target Milestone: ---
Created attachment 16159
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16159&action=edit
wireshark-v2.4.4_traffic-dnscrypt_case-1_dns-as-quic
Build Information:
Compiled (64-bit) with Qt 5.9.2, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with GLib 2.54.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares
1.13.0, with Lua 5.1.5, with GnuTLS 3.5.16, with Gcrypt 1.8.1, with MIT
Kerberos, with GeoIP, without nghttp2, without LZ4, without Snappy, without
libxml2, with QtMultimedia, without AirPcap, without SBC, without SpanDSP.
Running on Linux 4.15.3-300.fc27.x86_64, with Intel(R) Core(TM)2 Duo CPU
P9600 @ 2.53GHz, with 3896 MB of physical memory, with locale fi_FI.UTF-8,
with
libpcap version 1.8.1, with GnuTLS 3.5.18, with Gcrypt 1.8.2, with zlib 1.2.11.
Built using gcc 7.2.1 20180116 (Red Hat 7.2.1-7)
--
Wrong interpretation related to the most specific dissector regarding DNS
traffic encrypted by DNScrypt. In both cases output related to info-column with
respective filters 'quic' and 'dns' state systematically "Malformed packet".
Wireshark fails globally to recognized any No algorithm related to encryption.
(attachment)
On host computer DNXcrypt (https://github.com/jedisct1/dnscrypt-proxy – DNS
proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and
DNS-over-HTTP/2 – DNSSEC compatible) is used (either as CLI, using component
dnscrypt-proxy or as Qt/KF5 GUI, a wrapper over dnscrypt-proxy).
Traffic capture on own computer with promiscuous mode non-activated on
interface Ethernet.
Captures related to Case 1 and Case 2 are configured (Edit -> Preferences ->
Protocols DNS, UDP port) regarding DNS protocol respectively with default port,
53, and 443.
Assumed "Each dissector decodes its part of the protocol, and then hands off
decoding to subsequent dissectors for an encapsulated protocol."
(https://www.wireshark.org/docs/wsdg_html_chunked/ChapterDissection.html).
By the way expression 'hands off decoding to subsequent dissectors for an
encapsulated protocol.' is written at least in a somewhat unclear way.
Case 1
Wireshark misinterprets traffic analysed in such a way that it recognized that
the QUIC dissector is the most specific dissector for the captured data. Indeed
QUIC does run over UDP, therefore QUIC packets are classic UDP
packets.Nevertheless traffic is DNS.
Case 2
Wireshark interprets traffic analysed in such a way that it recognized that the
DNS dissector is now the most specific dissector for the captured data, which
is the right interpretation. Nevertheless user has to interfere in order to get
the right dissector selected for that traffic, which is definitively not the
way such tool is designed for.
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
