Re: Strange decoding?

[Vincent CATROS <vincent.catros () laposte net>]

Hello and thanks for answers,

IMHO the problem is comming from the fact that we have 2 redundant informations.
ethertype and IP.Version fields.
It would the same thing for IPx-over-IPx as the IP-protocol field has not the same value for IPv4 and IPv6.
We could think that the decision should not be taken on the IP-version field but it won't work for some situation. 
Actually, for some encapsulation (IPoUDP) the IP version is not know before inspecting IP-Version field.

I think a good solution would be to have 3 "dissect_ip()" functions :
- dissect_ip() when we don't know if the packet is IPv4 or IPv6 before inspecting IP-Version field.
- dissect_ipv4(). When we know the packet is (or should be) IPv4 (IPoE, IPoIP...). In that case IP-Version field will 
be checked for coherence.
- dissect_ipv6(). When we know the packet is (or should be) IPv6 (IPoE, IPoIP...). In that case IP-Version field will 
be checked for coherence.


I am new on this list... I don't know your processes.
Should I submit a bug report or change request somewhere?

Regards.
Vincent 

> Message du 25/01/12 12:07
> De : "Michael Tuexen" 
> A : "Community support list for Wireshark" 
> Copie à : "Vincent CATROS" 
> Objet : Re: [Wireshark-users] Strange decoding?
>
> On Jan 25, 2012, at 11:39 AM, wiresharkusers () synerity com wrote:
>
> > Hi,
> >
> > I haven't looked at the source code, but I guess Wireshark reads the IP
> > version information in the IP header (contained in the first byte of the IP header),
> > which is 6 in packet #6, and that probably overrides the ethertype.
> By looking at the code, you find in packet-ip.c, dissect_ip():
> iph->ip_v_hl = tvb_get_guint8(tvb, offset);
> if ( hi_nibble(iph->ip_v_hl) == 6) {
> call_dissector(ipv6_handle, tvb, pinfo, parent_tree);
> return;
> }
> This means if the IPv4 dissector gets called with an IPv6 packet, it is
> just decoded as an IPv6 packet. I'm not sure why we do this. Does anyone do?
>
> Best regards
> Michael
> > Regards,
> > Jasper
> >
> > > Hello,
> >
> > > I have a faulty equipement sending IPv6 packets with ethertype 0x0800 (IPv4).
> > > Nevertheless Wireshark decodes it as IPv6. (check packet #6 of the joined file).
> >
> > > It seems strange to me, I thought Wireshark uses ethertype for decoding, or
> > > least selecting the disector, but it does not seems to be the case. And even
> > > if Wireshark uses an other method I would have like it to warn me.
> >
> > > Could someone explain to me why this behaviour?
> >
> > > Regards.
> > > Vincent
> >
> > > Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
> > > Je crée ma boîte mail www.laposte.net
> >
> >
> > ___________________________________________________________________________
> > Sent via: Wireshark-users mailing list 
> > Archives: http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe