First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

heuristic dissector - Malformed packet - Same port different protocol

I have a pcap with 2 packets over udp, with the same port.
I want my heuristic dissector to recognize only the second packet as my protocol.
So i want to have 1 udp packet and second will be my dissector protocol.
My dissector is based on a magic number at specific offset.

The second packet is recognized as my protocol by the heuristic dissector
And the first one is udp, and under the udp layer there is Malformed packet: rtp stats
And in expert information, i get Maflormed packet(Exception occured)

There are a lot of example, each one with different code (according to change in the api i beleive )
I tried with create_dissector_handle and without

void proto_reg_handoff_rtp_stats(void)
{
    static gboolean initialized = FALSE;
    //static dissector_handle_t rtp_stats_handle;

    if (!initialized) {
        //rtp_stats_handle = create_dissector_handle(dissect_rtp_stats, proto_rtp_stats);
        initialized = TRUE;

        heur_dissector_add("udp", dissect_rtp_heur_stats, "rtp stats on udp(heuristic)","rtp-stats", proto_rtp_stats,HEURISTIC_ENABLE);
}

And here is the heuristic checker version, 

static gboolean
dissect_rtp_heur_stats(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
    uint32_t nMagicNumber = tvb_get_ntohl(tvb, 12);
    if(nMagicNumber!=0xCACAD0D0)
    {
        col_clear(pinfo->cinfo, COL_INFO);
        return FALSE;
    }
    printf("rtp stats %X",nMagicNumber );   
    return (dissect_rtp_stats(tvb,pinfo, tree,data)!= 0);
}

I found my problem, it was crashing before the check , because i didn't check packet length

yaroni's avatar
1
yaroni
asked 2020-07-15 15:15:47 +0000
grahamb's avatar
23.8k
grahamb
updated 2020-07-16 08:35:44 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Not sure I get it, the rtp huer dissector claims a packet it shoudn't? You can dissable that particular dissector.

Anders's avatar Anders (2020-07-15 17:36:09 +0000) edit
more
  • delete

my dissector is rtp_stats, i don';t want to disable it

yaroni's avatar yaroni (2020-07-16 06:22:39 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

If you get Malformed packet: rtp stats, then your dissector heuristics does allow the packet to be handed off to the dissection function. If that is expected then your dissection function is not correct for that payload. If that is not expected then your heuristic function is not strong enough.

Jaap's avatar
13.7k
Jaap
answered 2020-07-15 17:38:32 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I found my problem, it was crashing before the check , because i didn't check packet length
Thank you for your help

yaroni's avatar yaroni (2020-07-16 06:22:18 +0000) edit
more
  • delete

The length check before accessing anything is noted in the example heuristic dissector in README.heuristic.

grahamb's avatar grahamb (2020-07-16 08:38:04 +0000) edit
more
  • delete

Yes thank you, i found the problem already

yaroni's avatar yaroni (2020-07-16 09:33:37 +0000) edit
more
  • delete

Yep, I added it as a reference for others who may search for the same issue.

grahamb's avatar grahamb (2020-07-16 10:10:20 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer