Exporting MATE filtered displayed packets does not have all fragments - SUSE

asked 2019-03-07 23:57:02 +0000

ssharkwsk gravatar image

I have compiled wireshark in my SLES-11-SP1 server and trying to use MATE plugin filters. When I export displayed packets after applying filter, it does not save all fragments to assist with re-assembly when I open the filtered trace. Due to this some packets are missing in the final exported trace

I also have an environment where I have same version of wireshark running on Ubuntu 18.04. If I use same MATE configuration file and export displayed packets, I can see all relevant fragments are getting saved and re-assembly is possible in the filtered trace.

The issue happens for SCTP fragmented packets. Diameter application is running on top of SCTP

I know there are differences in dependencies/libraries between SuSE 11 & Ubuntu 18.04 platforms. Would like to get some ideas where to look for for this specific issue. Can these OS's handle fragments differently ?

Thanking you all in anticipation

edit retag flag offensive close merge delete

Comments

Some initial questions:

  1. What are the Wireshark version(s)?
  2. Are the preferences exactly the same between the two systems? I'd suggest doing a diff on the preferences files.
  3. I assume you've tried this with the same capture file (and same MATE file)?

It would be interesting to know which frame(s) don't make it into the final file that cause the problem. Presumably they're SCTP fragments but does the missing fragment have something unique about it (like being IP fragmented too)?

JeffMorriss gravatar imageJeffMorriss ( 2019-03-08 21:55:15 +0000 )edit
  1. Wireshark 3.1.0
  2. Yes
  3. Yes same capture file & MATE config file

I can confirm its only SCTP fragments and no IP fragments

ssharkwsk gravatar imagessharkwsk ( 2019-03-09 13:33:57 +0000 )edit

I think we'd probably need a reproducer to test this (capture file, MATE file, steps to repeat the problem, which frames don't make it into the new file but should have). The problem doesn't make any sense to me.

I think your last comment on bug 12597 is related to this question:

Can anyone advise me what libraries/dependencies might be involved in deciding/marking the fragmented packets while using display filter ?

There aren't any external dependencies that should be involved here. It's all native Wireshark code. IOW if it's the same Wireshark version then it should behave the same.

JeffMorriss gravatar imageJeffMorriss ( 2019-03-15 18:50:47 +0000 )edit

I do have traces & MATE configs, but can share it directly with you..

ssharkwsk gravatar imagessharkwsk ( 2019-03-17 00:29:36 +0000 )edit

Seems not too much movement in this thread (neither in bugzilla). It would be fantastic to get it fixed, this issue is really annoying!

If there is any way I could help (share sample snoops, test the patch, etc) - I'm happy to help.

Best regards, Jarek

Jarek Hartman gravatar imageJarek Hartman ( 2020-09-25 10:44:16 +0000 )edit
add a comment