diff options
| author | Dylan Ulis <daulis0@gmail.com> | 2018-02-15 14:11:06 -0500 |
|---|---|---|
| committer | Michael Mann <mmann78@netscape.net> | 2018-03-10 21:12:51 +0000 |
| commit | 2ecb33c039d75d851bb4fc4e72c8f8a389c9ab55 (patch) | |
| tree | 699a40635aa5cc8ac135d04c0a4ace1b506275e9 | |
| parent | 6a819d9950e41244b742073f0962e2c5a80eb735 (diff) | |
ENIP packets are not decoded as ENIP anymore
The length check in dissect_enip_tcp() was previously removed but
it's necessary to filter out one byte messages that are mostly likely
TCP keep alives.
Bug: 14434
Change-Id: I44c10aaf0a2e06870ad82f87aab9d72548b77f9f
Reviewed-on: https://code.wireshark.org/review/25807
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
| -rw-r--r-- | epan/dissectors/packet-enip.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/epan/dissectors/packet-enip.c b/epan/dissectors/packet-enip.c index 84babb00fc..6b21fbfda4 100644 --- a/epan/dissectors/packet-enip.c +++ b/epan/dissectors/packet-enip.c @@ -2866,6 +2866,15 @@ dissect_enip_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data static int dissect_enip_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) { + // TCP connections for EtherNet/IP are typically open for extended periods of time. + // This means that mostly likely, for real world traffic, a capture initiated for + // EtherNet/IP traffic will start in the middle of a TCP connection. This check + // ignores one byte TCP payloads because it is far more likely that a one byte TCP + // payload is a TCP keep alive message, than a client actually sending real EtherNet/IP + // messages in one byte chunks. + if (tvb_captured_length(tvb) < 2) + return 0; + tcp_dissect_pdus(tvb, pinfo, tree, enip_desegment, 4, get_enip_pdu_len, dissect_enip_pdu, data); return tvb_captured_length(tvb); } |