Ask Your Question
0

Missing mandatory field id in struct.

asked 2023-10-06 21:57:04 +0000

budking gravatar image

Code:

<
Frame 208030: 1410 bytes on wire (11280 bits), 1410 bytes captured (11280 bits) on interface any, id 0
    Section number: 1
    Interface id: 0 (any)
        Interface name: any
    Encapsulation type: Linux cooked-mode capture v1 (25)
    Arrival Time: Oct  6, 2023 23:39:25.240882611 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1696628365.240882611 seconds
    [Time delta from previous captured frame: 0.000186590 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 1616.566239079 seconds]
    Frame Number: 208030
    Frame Length: 1410 bytes (11280 bits)
    Capture Length: 1410 bytes (11280 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: sll:ethertype:ip:tcp:thrift]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Linux cooked capture v1
    Packet type: Unicast to us (0)
    Link-layer address type: zero header length (65534)
    Link-layer address length: 0
    Unused: 72e85f16beadb57c
    Protocol: IPv4 (0x0800)
Internet Protocol Version 4, Src: 88.163.224.143, Dst: 10.96.0.4
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 1394
    Identification: 0xc913 (51475)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: TCP (6)
    Header Checksum: 0x28dc [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 88.163.224.143
    Destination Address: 10.96.0.4
Transmission Control Protocol, Src Port: 17527, Dst Port: 41450, Seq: 24691482, Ack: 2123174, Len: 1342
    Source Port: 17527
    Destination Port: 41450
    [Stream index: 30]
    [Conversation completeness: Incomplete, DATA (15)]
    [TCP Segment Len: 1342]
    Sequence Number: 24691482    (relative sequence number)
    Sequence Number (raw): 2104701472
    [Next Sequence Number: 24692824    (relative sequence number)]
    Acknowledgment Number: 2123174    (relative ack number)
    Acknowledgment number (raw): 4169978086
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x010 (ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······A····]
    Window: 251
    [Calculated window size: 64256]
    [Window size scaling factor: 256]
    Checksum: 0x5389 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Timestamps
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 639884022: TSval 639884022, TSecr 4134066288
            Timestamp echo reply: 4134066288
    [Timestamps]
        [Time since first frame in this TCP stream: 553.110775095 seconds]
        [Time since previous frame in this TCP stream: 0.016986903 seconds]
    [SEQ/ACK analysis]
        [iRTT: 0.080914942 seconds]
        [Bytes in flight: 1342]
        [Bytes sent since last PSH flag: 1342]
    TCP payload (1342 bytes)
    TCP segment data (1342 bytes)
[58 Reassembled TCP Segments (64242 bytes): #207735(1342), #207736(1342), #207747(1342), #207750 ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2023-10-07 14:28:53 +0000

Chuckc gravatar image

This is most likely a false match in the thrift_tcp heuristic check.
epan/dissectors/packet-thrift.c:

/* Check that the 2-byte value match a Thrift TCompactProtocol version
 * - 0x82 The protocol id.
 * - 0bmmmvvvvv The method on the 3 MSbits and version on the 5 LSbits.
 */

The first two bytes (8261) of the Reassembled TCP Data will match the check for
#define THRIFT_COMPACT_VERSION_1 0x8201 when the mask
#define THRIFT_COMPACT_VERSION_MASK 0xff1f is applied.

You can disable the thrift_tcp dissector at Analyze->Enable Protocols....
Search for thrift then uncheck thrift_tcp.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-10-06 21:57:04 +0000

Seen: 152 times

Last updated: Oct 07 '23