Wireshark won't dissect time protocol completely

edit

The code in question was added in November 2015, with the following commit message:

UDP: Don't throw malformed errors for empty UDP payload

Unfortunately, it's unclear which erroneous malformed errors were being thrown. In any case, it would appear that this change was the wrong fix to that problem.

I would suggest opening up a Wireshark bug report referencing this change, and as grahamb suggested, please attach a small capture file to the bug report depicting the problem with the TIME packet.

Further analysis confirmed my theory and this is due to this section in packet-udp.c

if (udph->uh_ulen == 8) { /* Empty UDP payload, nothing left to do. */ return; }

No parsing of sub-protocols is attempted if the UDP length is 8 (header only) as I expected. However, this is still a valid TIME packet that should be tagged accordingly based on destination port. I'm uncertain of the impact of removing this code though to other sub-protocols of UDP.

This does lead to some other protocols possibly throwing a malformed packet error. One of those protocols is RTCP. Changing the time protocol to correctly return true may prevent this in this instance, but maybe not others. The only way to know for certain will be to remove this, and wait for reports to occur, and fix those in the sub-protocols.

Change for time protocol is this:

if (pinfo->srcport == pinfo->match_uint) {
    /* seconds since 1900-01-01 00:00:00 GMT, *not* 1970 */
    guint32 delta_seconds = tvb_get_ntohl(tvb, 0);
    proto_tree_add_uint_format(time_tree, hf_time_time, tvb, 0, 4,
            delta_seconds, "%s",
            abs_time_secs_to_str(wmem_packet_scope(), delta_seconds-2208988800U,
                (absolute_time_display_e)time_display_type, TRUE));
    return tvb_captured_length(tvb);
}
else
{
    return TRUE;
}