Ask Your Question
0

I am generating a UDP packet. The data payload is interpreted by Wireshark as a ADwin_config message. What determines an ADwin_config message?

asked 2024-05-23 18:25:03 +0000

CAH gravatar image

updated 2024-05-23 20:15:17 +0000

cmaynard gravatar image

I am attaching a screen capture of the Wireshark packet:

+---------+---------------+----------+
14:16:19,784,777   ETHER
|0   |ff|ff|ff|ff|ff|ff|00|5d|03|01|02|03|08|00|45|00
     |00|32|00|00|00|00|7f|11|e1|ea|a9|fe|af|d2|ff|ff
     |ff|ff|c3|5c|c3|5c|00|1e|00|00|00|16|00|00|00|00
     |00|03|00|00|02|07|00|04|00|dd|18|b9|00|dd|18|b9|
edit retag flag offensive close merge delete

Comments

Formatted for Wireshark "Import from Hex Dump...":

00000000  ff ff ff ff ff ff 00 5d 03 01 02 03 08 00 45 00
00000010  00 32 00 00 00 00 7f 11 e1 ea a9 fe af d2 ff ff
00000020  ff ff c3 5c c3 5c 00 1e 00 00 00 16 00 00 00 00
00000030  00 03 00 00 02 07 00 04 00 dd 18 b9 00 dd 18 b9
Chuckc gravatar imageChuckc ( 2024-05-26 13:40:50 +0000 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2024-05-28 06:49:32 +0000

I am the original author of this dissector (very long time ago). The ADWIN Config protocol is hard coded to port 7000, both for TCP and UDP.

I suggest checking for port 7000 in both TCP _and_ UDP to work around the problem reported by the thread creator.

Note: this is not the case for the regular ADwin communication protocol (packet-adwin.c as opposed to packet-adwin-config.c), which uses port 6543 by default but can be changed to arbitrary port numbers.

edit flag offensive delete link more

Comments

Can you provide a specification document for the protocol?

5324: New dissector for adwin protocols

1. Checking for UDP port 7000 would not work for frames 2 and 3 in the sample capture attached to issue 5324.
2. If UDP trafffic is not on port 7000 then is at least one of the MAC addresses always in the "Jäger Computergesteuerte Meßtechnik GmbH." (adwin) ranges?

Should the heuristic look for UDP port 7000 "or" MAC address in specified range?

Chuckc gravatar imageChuckc ( 2024-05-28 12:28:16 +0000 )edit

I cannot provide a spec for the protocol, but you are correct that checking only for port 7000 would not work for frames 2 and 3 in the sample capture file. Actually, that was a firmware bug where older systems opened a new socket send replies, resulting in numerous problems (firewalls blocking the responses because the src port of the remote end was incorrect).

Newer firmwares should properly answer requests to port 7000 with that socket, and should not cause problems. I guess the buggy old firmwares were the reason why UDP was not restricted to port 7000.

The ideal solution would be record outgoing packets to port 7000 with their old source port and the also use the heuristic dissector to include packets to the old source port.

Hard to tell if it is worth the additional work for older, buggy firmwares.

For me, just restricting to 7000 on ...(more)

TBoehne gravatar imageTBoehne ( 2024-05-28 12:43:50 +0000 )edit

"newer sample captures" :-)
Yes please.

Would you also supply a patch for the UDP dissector?

Chuckc gravatar imageChuckc ( 2024-05-28 12:50:05 +0000 )edit

yes and yes.

Just working on it, needed to create account first.

TBoehne gravatar imageTBoehne ( 2024-05-28 13:06:47 +0000 )edit

Thank you!

Chuckc gravatar imageChuckc ( 2024-05-28 13:07:33 +0000 )edit
0

answered 2024-05-24 11:47:44 +0000

johnthacker gravatar image

Looks like TCP or UDP packets sent to port 7000 with MAC address that are either ADwin's OUI or broadcast are interpreted as ADwin config. UDP does additional length checks, but TCP doesn't because of desegmentation. You might want to disable that dissector

edit flag offensive delete link more

Comments

It only checks the port for TCP:
dissect_adwin_config_tcp():

    if(!(pinfo->srcport == ADWIN_CONFIGURATION_PORT
        || pinfo->destport == ADWIN_CONFIGURATION_PORT))
        return 0;


This check seems to allow any UDP packet of a correct length and a broadcast address to pass?
dissect_adwin_config_udp():

if (! (is_adwin_mac_or_broadcast(pinfo->dl_src) || is_adwin_mac_or_broadcast(pinfo->dl_dst)))
        return 0;


Philosophical beer/coffee discussion question:
"Should niche protocol dissectors be disabled by default or is it better to search for every possible protocol 'just in case'?"
proto_reg_handoff_adwin_config() :

heur_dissector_add("udp", dissect_adwin_config_udp, "ADwin-Config over UDP", "adwin_config_udp", proto_adwin_config, HEURISTIC_ENABLE);
heur_dissector_add("tcp", dissect_adwin_config_tcp, "ADwin-Config over TCP", "adwin_config_tcp", proto_adwin_config, HEURISTIC_ENABLE);
Chuckc gravatar imageChuckc ( 2024-05-26 13:48:22 +0000 )edit

We see both type of questions:

  1. Why isn't my protocol dissected?
  2. Why is my traffic dissected as some other protocol?

With the answers being:

  1. The dissector is disabled (or the traffic is on another port).
  2. Because the traffic is using a port claimed by another dissector.

I'm inclined to be more inclusive and enable all dissectors, possibly disabling those with known poor heuristics and handling.

grahamb gravatar imagegrahamb ( 2024-05-28 08:38:48 +0000 )edit

The UDP dissector is "greedy". If the discussion above provides more data to tighten it up then leaving enabled ok. Otherwise I would propose to make the default setting HEURISTIC_DISABLE for UDP.

Chuckc gravatar imageChuckc ( 2024-05-28 12:47:04 +0000 )edit

Sometimes the answer is "because your packets don't match the protocol spec, possibly because you generated them yourself, possibly because whatever gear you are using is non compliant." Which leads into the argument of whether dissectors should dissect the buggy data anyway.

johnthacker gravatar imagejohnthacker ( 2024-05-28 14:26:47 +0000 )edit

In this case it was a free "fuzz test". :-)

Chuckc gravatar imageChuckc ( 2024-05-28 14:31:22 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-05-23 18:25:03 +0000

Seen: 5,158 times

Last updated: May 28