IMAP dissector/filter fails to decode FETCH of message body

asked 2019-10-21 06:36:37 +0000

I see the problem with the version installed with fedora 30 (wireshark 3.0.3). With fedora 27 using wshark 2.6.2 the imap frames decoded perfectly. With 3.0.3 the response for imap fetch of message bodies fails to decode as imap and shows as TCP in the "Proto" column. I downgrade back to ws 2.6.2 on fedora 30 (using RPMs from fedora 27) and it works correctly again. All imap packets are decoded and displayed correctly, including fetch responses. I also noticed that with ws 3.0.3 on fedora 30 that memory usage by ws fairly quickly went up; per "top" it would show >50%. With 2.6.2 running on f30, it hovers around 3% and doesn't ramp up quickly.

Note: I use non-standard ports for imap: 142 and 146 and have set them to "decode as" imap. The filter I use is this: imap && (tcp.port==146 || tcp.port==142)

edit retag flag offensive close merge delete


Possibly tcp reassembly. Difficult to comment further without the actual capture file, can you post it to a public share and add a link to it back here?

grahamb gravatar imagegrahamb ( 2019-10-21 08:52:11 +0000 )edit