ENIP packets are not decoded as ENIP anymore

The length check in dissect_enip_tcp() was previously removed but it's necessary to filter out one byte messages that are mostly likely TCP keep alives. Bug: 14434 Change-Id: I44c10aaf0a2e06870ad82f87aab9d72548b77f9f Reviewed-on: https://code.wireshark.org/review/25807 Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot Reviewed-by: Michael Mann <mmann78@netscape.net>
2018-02-15 14:11:06 -05:00 · 2018-02-15 14:11:06 -05:00 · 2ecb33c039
parent 6a819d9950
commit 2ecb33c039
1 changed files with 9 additions and 0 deletions
--- a/epan/dissectors/packet-enip.c
+++ b/epan/dissectors/packet-enip.c
@ -2866,6 +2866,15 @@ dissect_enip_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data
 static int
 dissect_enip_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
 {
+   // TCP connections for EtherNet/IP are typically open for extended periods of time.
+   // This means that mostly likely, for real world traffic, a capture initiated for
+   // EtherNet/IP traffic will start in the middle of a TCP connection. This check
+   // ignores one byte TCP payloads because it is far more likely that a one byte TCP
+   // payload is a TCP keep alive message, than a client actually sending real EtherNet/IP
+   // messages in one byte chunks.
+   if (tvb_captured_length(tvb) < 2)
+      return 0;
+
   tcp_dissect_pdus(tvb, pinfo, tree, enip_desegment, 4, get_enip_pdu_len, dissect_enip_pdu, data);
   return tvb_captured_length(tvb);
 }