https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14113

            Bug ID: 14113
           Summary: AMQP 0.9 dissector confused when first packet contains
                    several frames
           Product: Wireshark
           Version: 2.4.2
          Hardware: x86
                OS: OS X 10.10
            Status: UNCONFIRMED
          Severity: Minor
          Priority: Low
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: magnus.hen...@gmail.com
  Target Milestone: ---

Created attachment 15879
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=15879&action=edit
Two AMQP 0.9 packets

Build Information:
Version 2.4.2 (v2.4.2-0-gb6c63ae)

Copyright 1998-2017 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
GLib 2.36.0, with zlib 1.2.5, with SMI 0.4.8, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.4.17, with Gcrypt 1.7.7, with MIT Kerberos, with GeoIP,
with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with
QtMultimedia, without AirPcap, with SBC, without SpanDSP.

Running on Mac OS X 10.10.5, build 14F2511 (Darwin 14.5.0), with Intel(R)
Core(TM) i5-4258U CPU @ 2.40GHz (with SSE4.2), with 16384 MB of physical
memory,
with locale C, with libpcap version 1.5.3 - Apple version 47, with GnuTLS
3.4.17, with Gcrypt 1.7.7, with zlib 1.2.5.

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
The attached pcapng file contains two packets with AMQP 0.9 traffic.  When
opened in Wireshark, it is decoded correctly:

1       2017-10-11 14:22:43.533502      0.000000        127.0.0.1       5672   
127.0.0.1       59195   AMQP    Basic.Consume-Ok                1       44     
127.0.0.1                                       
2       2017-10-11 14:22:43.533540      0.000038        127.0.0.1       5672   
127.0.0.1       59195   AMQP    Basic.Deliver x= rk=rmq_simple_queue
Content-Header Content-Body                45      119     127.0.0.1            

However, if you export the second packet into a new file and open it, the AMQP
dissector doesn't kick in:

1       2017-10-11 14:22:43.533540      0.000000        127.0.0.1       5672   
127.0.0.1       59195   TCP     5672 → 59195 [PSH, ACK] Seq=1 Ack=1 Win=12742
Len=119 TSval=1852809785 TSecr=1852809785 [TCP segment of a reassembled PDU]   
          1       119     127.0.0.1                                       

If I'm reading packet-amqp.c correctly, this happens because of how
check_amqp_version detects AMQP version 0.9.  It checks whether the length
field in the AMQP frame is equal to the length of the packet.  However, that
fails when there are several AMQP frames in the packet.  This means that the
version gets detected incorrectly, and applied to the entire "conversation",
with no way of nudging it in the correct direction.

This is annoying when opening a trace that started in the middle of a
"conversation" - whether the traffic gets decoded correctly or not depends on
whether the first packet in the TCP conversation contained exactly one AMQP
frame.  Ideally, the AMQP dissector would figure it out by itself, but an
alternative solution could be adding a preference for forcing a certain AMQP
version.

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

Reply via email to