[Wireshark-dev] How to handle Ethernet frames with FCS, malformed packet in PN dissector

Mon, 26 Sep 2011 06:51:00 -0700 

Hi,



I'm currently implementing a new pcap link-layer type which contains an
Ethernet frame including the FCS (see LINKTYPE_NETANALYZER on
http://www.tcpdump.org/linktypes.html).

Now I have observed a problem with the PROFINET dissector, I'm not sure
how to deal with it, and I'm not sure if even other dissectors are
affected.



>From the pcap file I read:



+----------------------+

+ Link_layer header    +

+----------------------+

+                      +

+ Ethernet frame data  +

+                      +

+- - - - - - - - - - - +

+ Ethernet FCS         +

+----------------------+



The WTAP dissector dissects the link-layer header and generates a new
tvb subset containing only the Ethernet frame data + FCS (cuts of the
link-layer header). This tvb subset is passed to the "eth_withfcs"
dissector.



In pcap_read_post_process() I added the new encap type and set the
pseudo-headers FCS length to 4:

case WTAP_ENCAP_NETANALYZER:

    pseudo_header->eth.fcs_len = 4;

    break;



Now I open a pcap file containing a PN-PTCP DelayRes frame, which
results in a malformed packet expert info "exception occurred". Looking
at the packet-pn-rt.c source code in dissect_pn_rt() there are some
manipulations regarding pinfo->pseudo_header->eth.fcs_len and tbv
reported length.



If I change my assignment in pcap_read_post_process() to

pseudo_header->eth.fcs_len = -1;

the frame can be dissected correctly without error.



Now my question:

I thought I have to set pseudo_header->eth.fcs_len to 4, as the tvb
contains the FCS, but this does result in false dissection of packets.
Am I wrong and do I have to set pseudo_header->eth.fcs_len to -1? Will
this work witch all other dissectors? Or is the behaviour a bug in the
PN dissector?



Regards,

Holger









Hilscher Gesellschaft für Systemautomation mbH
Rheinstr. 15, 65795 Hattersheim
Sitz der Gesellschaft: Hattersheim
Geschäftsführer: Hans-Jürgen Hilscher
Registergericht: Amtsgericht Frankfurt/Main
Handelsregister: Frankfurt B 26873
www.hilscher.com


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Reply via email to