ENIP packets are not decoded as ENIP anymore
The length check in dissect_enip_tcp() was previously removed but it's necessary to filter out one byte messages that are mostly likely TCP keep alives. Bug: 14434 Change-Id: I44c10aaf0a2e06870ad82f87aab9d72548b77f9f Reviewed-on: https://code.wireshark.org/review/25807 Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot Reviewed-by: Michael Mann <mmann78@netscape.net>
This commit is contained in:
parent
6a819d9950
commit
2ecb33c039
|
@ -2866,6 +2866,15 @@ dissect_enip_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data
|
|||
static int
|
||||
dissect_enip_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
|
||||
{
|
||||
// TCP connections for EtherNet/IP are typically open for extended periods of time.
|
||||
// This means that mostly likely, for real world traffic, a capture initiated for
|
||||
// EtherNet/IP traffic will start in the middle of a TCP connection. This check
|
||||
// ignores one byte TCP payloads because it is far more likely that a one byte TCP
|
||||
// payload is a TCP keep alive message, than a client actually sending real EtherNet/IP
|
||||
// messages in one byte chunks.
|
||||
if (tvb_captured_length(tvb) < 2)
|
||||
return 0;
|
||||
|
||||
tcp_dissect_pdus(tvb, pinfo, tree, enip_desegment, 4, get_enip_pdu_len, dissect_enip_pdu, data);
|
||||
return tvb_captured_length(tvb);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue