https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16565
Bug ID: 16565
Summary: L2TP improvements - cookie length detection, UDP
encapsulation and more
Product: Wireshark
Version: 3.2.3
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: Normal
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: peter.pal...@fri.uniza.sk
Target Milestone: ---
Build Information:
3.2.3 (Git commit f39b50865a13)
Compiled (64-bit) with Qt 5.12.5, with libpcap, with POSIX capabilities
(Linux),
with libnl 3, with GLib 2.64.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares
1.16.1, with Lua 5.2.4, with GnuTLS 3.6.13 and PKCS #11 support, with Gcrypt
1.8.5, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.40.0, with
brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.10, with
QtMultimedia, without automatic updates, with SpeexDSP (using system library),
with SBC, with SpanDSP, without bcg729.
Running on Linux 5.6.0-1-amd64, with Intel(R) Core(TM) i7-8665U CPU @ 1.90GHz
(with SSE4.2), with 7965 MB of physical memory, with locale en_US.UTF-8, with
light display mode, without HiDPI, with libpcap version 1.9.1 (with
TPACKET_V3),
with GnuTLS 3.6.13, with Gcrypt 1.8.5, with brotli 1.0.7, with zlib 1.2.11,
binary plugins supported (18 loaded).
Built using gcc 9.3.0.
--
Greetings,
I would like to submit an enhancement to the L2TP dissector. Improvements:
- Detection of cookie length is now also based on Cisco vendor-specific AVPs
(before this patch, the cookie length was only detected based on IETF AVP type
65; if the cookie was advertised in Cisco vendor-specific AVP, it was not
autodetected)
- Storing session IDs and pseudowire type data is now also based on Cisco
vendor-specific AVPs (before this patch, the SID and PW type detection have
been only based on IETF AVPs; if the SID and PW type were advertised in Cisco
vendor-specific AVPs, they were not stored as a session, and the L2TP data
message payloads have not been dissected properly)
- Fixed storing and looking up conversations for UDP-based L2TP encapsulation
(before this patch, UDP-encapsulated data messages were possibly not dissected
properly since their SIDs, PW type and cookies have not been looked up properly
in Wireshark conversation->tunnel session cache)
- Fixed occasional reports of "malformed packet" when dissecting ZLB messages
- Changes to output formatting
- Removed bogus whitespaces in output strings
- Removed redundant printouts of the same value under l2tp_tree
- Printing out 32-bit values of SIDs and CCIDs in hex for better readability
- Corrected the use of "ccid" vs. "tid" strings in labels
- Properly accounting for the cookie length in the l2tp_item total length
- Renamed the "Packet Type" ctrl_tree item into "Flags" which better
corresponds to its contents
- Providing quick summary for the set flag bits in the "Flags:" ctrl_tree
- Removed l2tp.session_id key with the related hf_l2tp_session_id item since
this item duplicated the already existing l2tp.sid/hf_l2tp_sid key/item but was
only populated for IP-based L2TPv3 data messages which would produce
inconsistent search/filter results
- Cleanup of the process_l2tpv3_control() function
I will be uploading demo packet captures and pushing the change to Git for
review shortly. The packet captures have been kindly provided by Nick Russo at
http://njrusmc.net/jobaid/jobaid.html and are directly downloadable from
http://njrusmc.net/jobaid/ip_l2vpn_pcap.zip .
Thank you!
Best regards,
Peter
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
