Invalid decoding of Fin-Ack to contain payload

Question

Invalid decoding of Fin-Ack to contain payload

josemic opened this issue 11 years ago · 11 comments

This packet is decoded by epcap as to have 6 bytes payload, while Wireshark does not show any payload.

<<0,37,34,169,124,93,156,199,166,109,119,220,8,
0,69,0,0,40,79,99,64,0,56,6,192,67,91,215,100,
139,192,168,178,30,0,80,225,205,214,149,255,
217,25,137,180,211,80,17,0,46,245,145,0,0,0,0,
0,0,0,0>>

Here are overlapping screenshots from whiresharks output:

Answer 1 · 2013-10-13T18:17:51.000Z

Could you please send me(ates@ipv6.dp.ua) this pcap file? I will check it and fix. Thank you.

Answer 2 · 2013-10-13T20:42:10.000Z

By the way for the image I have configured Wireshark to show real sequence numbers:
Edit->Preferences->Protocols->TCP->Relative Sequence Numbers (unselect)
and
Edit->Preferences->Protocols->TCP-> Allow subdissectors to reassemble TCP streams (unselect)-

Answer 3 · 2013-10-13T20:43:52.000Z

This bug was unintentionally closed by me.

Answer 4 · 2013-10-13T21:07:09.000Z

I believe this issue should be closed and created in msantos/pkt project instead. epcap is not responsible for decoding of the binary data. epcap_net module is present for the legacy compatibility.

Answer 5 · 2013-10-13T21:12:16.000Z

I agree. I suggest that when you can confirm the bug, either you or me open a new bug in msantos/pkt project instead. We will then refer to that one and close this one.

Answer 6 · 2013-10-13T21:12:47.000Z

Michael, what do you think about removing the epcap_net from epcap project at all?

Answer 7 · 2013-10-13T21:55:31.000Z

If you are refering to "epcap_net.erl" - I am not using it. It just caues confusion.

I use pkt directly. I have created a wrapper around the functions from the Sniffer example and put it into a file:
https://github.com/josemic/eNose/blob/master/epcap_port_app/src/epcap_port_lib.erl

Answer 8 · 2013-10-14T08:57:50.000Z

Looks like it's not related to TCP decoding but related to Ethernet decoding. Ethernet packets which have a length size less than 64 bytes are padded to 64 bytes.

Answer 9 · 2013-10-14T18:23:52.000Z

Ok.
Is the bug in msanto/pkt ?
Is there a chance to fix it?

Answer 10 · 2013-10-14T19:49:45.000Z

Yes, this bug is related to pkt project not to epcap. I will try to fix that soon.

Answer 11 · 2013-10-14T20:04:13.000Z

Thanks for the bug report, josemic! I remember seeing this but I forgot to follow up on it. I will have to check my notes. In fact, I seem to just truncated the frame??!:

https://github.com/msantos/perv/blob/master/src/perv.erl#L191

I've created an issue here:

msantos/pkt#5

ates: if you feel like fixing this, I added you as a collaborator to pkt/epcap, if you want to commit directly (feel free to use merge requests if you prefer them).

Otherwise, I will have look at this in a few days!

BTW, I also remove epcap_net as suggested.