Discussion:
Gigasmart trailer
Todd Kleinsasser
2014-04-29 18:56:46 UTC
Permalink
Hello everyone, I am having an issue where I use a gigamon gigasmart card to slice a packet and add a trailer. As far as I can tell gigasmart is doing this correctly. However, when I open a capture up in wireshark it appears wireshark is not decoding the trailer correctly. I really have two issues.

First, if the packet is not sliced wireshark decodes the trailer correctly. However, for any packet that is sliced by a gigasmart card there is no decode for the trailer. It appears the trailer is actually there by looking at the hex, however wireshark does not recognize it.

Second problem is, Wireshark does not know the packets were sliced. All of the TCP analysis is off because wireshark is calculating the packet size wrong. It appears wireshark is calculating the TCP payload length by taking the packet size it saw on the wire (which has been sliced) - Ethernet header - IP header - TCP header. Doesn't appear to be using the IP packet length in the calculation. Because of this wireshark is reporting ton of TCP errors even though there really are none.

Thanks for any help,
todd
________________________________
All emails in this message string and any attachments are the confidential information of CSG Systems International, Inc. (CSG), or its affiliates and subsidiaries, and may contain privileged and/or confidential material. If you are not an intended recipient, please delete it immediately and notify the sender; unintended recipients are not authorized to read or otherwise use the information contained herein.
Guy Harris
2014-04-29 23:28:34 UTC
Permalink
Post by Todd Kleinsasser
Hello everyone, I am having an issue where I use a gigamon gigasmart card to slice a packet and add a trailer. As far as I can tell gigasmart is doing this correctly. However, when I open a capture up in wireshark it appears wireshark is not decoding the trailer correctly.
Slicing packets *and* adding trailers goes, I suspect, beyond what a heuristic can possibly manage to figure out. I suspect the only way to fix any of this is to modify Wireshark so that there is a preference to indicate whether packets have Gigamon trailers or not.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Guy Harris
2014-04-29 23:44:46 UTC
Permalink
Post by Guy Harris
Post by Todd Kleinsasser
Hello everyone, I am having an issue where I use a gigamon gigasmart card to slice a packet and add a trailer. As far as I can tell gigasmart is doing this correctly. However, when I open a capture up in wireshark it appears wireshark is not decoding the trailer correctly.
Slicing packets *and* adding trailers goes, I suspect, beyond what a heuristic can possibly manage to figure out. I suspect the only way to fix any of this is to modify Wireshark so that there is a preference to indicate whether packets have Gigamon trailers or not.
...unless what the card does is preserve the original Ethernet header and add an additional header before it with a Gigamon Ethernet type (so that the packet can be identified as having been run through the Gigamon).

And, unless the trailer (or any header also added) indicates by how much the packet has been sliced, there might have to be an *additional* preference to indicate that.

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Guy Harris
2014-04-30 00:02:30 UTC
Permalink
Post by Todd Kleinsasser
Second problem is, Wireshark does not know the packets were sliced.
Then it somehow needs to be told. See my earlier emails.
Post by Todd Kleinsasser
All of the TCP analysis is off because wireshark is calculating the packet size wrong. It appears wireshark is calculating the TCP payload length by taking the packet size it saw on the wire (which has been sliced) – Ethernet header – IP header – TCP header. Doesn’t appear to be using the IP packet length in the calculation.
The IP code will, if the IP total length is *less* than the amount of data handed to it by whatever dissector calls it (Ethernet, 802.11, PPP, etc.), set the length of the buffer it processes to the IP total length (which allows the Ethernet dissector to know how much of the packet *isn't* part of the IP datagram and is thus a trailer).

If it's *greater*, however, it doesn't do anything with it.

I'd argue that it should report that as an error, because in *normal* circumstances, that's exactly what it is; an IP datagram with a bogus length that's greater than the actual amount of data in the packet. It should also not set the buffer length, even if it bothers to hand off the payload of the IP datagram to sub-dissectors.

That would, of course, mean that a sliced-by-a-Gigasmart-card packet would be shown as an error, but that's the right thing to do here, as it would've turned up this problem sooner and made it clearer that there needs to be a way to tell Wireshark that the packet was sliced and by how much!
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Loading...