f5ethtrailer: Won't find a trailer after an FCS that begins with a 0x00 byte
Summary
In cases where a trailer is appended after an existing FCS and that FCS begins with one or more 0x00 bytes, the f5ethtrailer will not be detected.
What is the current bug behavior?
In the below output, frame 1 does have an f5ethtrailer with magic at offset 0x4A. The FCS is 0x00d43e2f at offset 0x46. This FCS is not detected.
Frame 2 has an FCS and f5ethtrailer magic at the same offsets and is detected.
What is the expected correct behavior?
The f5ethtrailer in both frames should be detected.
Sample capture file
$ tshark -r fcs0.pcap -O f5ethtrailer -x
Frame 1: 102 bytes on wire (816 bits), 102 bytes captured (816 bits) on interface unknown, id 0
Ethernet II, Src: F5Networ_8f:48:09 (00:94:a1:8f:48:09), Dst: F5Networ_e7:20:8f (00:0a:49:e7:20:8f)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 1102
Internet Protocol Version 4, Src: 10.2.45.220, Dst: 10.2.108.100
Transmission Control Protocol, Src Port: 35133, Dst Port: 80, Seq: 1, Ack: 1, Len: 0
0000 00 0a 49 e7 20 8f 00 94 a1 8f 48 09 81 00 04 4e ..I. .....H....N
0010 08 00 45 00 00 34 47 09 40 00 40 06 45 77 0a 02 ..E..4G.@.@.Ew..
0020 2d dc 0a 02 6c 64 89 3d 00 50 6c c3 0b c0 b1 0e -...ld.=.Pl.....
0030 20 c6 80 10 ff ff 35 e1 00 00 01 01 08 0a 08 23 .....5........#
0040 77 b2 08 0c 36 d1 00 d4 3e 2f f5 de b0 f5 00 1c w...6...>/......
0050 00 01 00 05 00 01 00 14 00 01 04 88 0f 78 ff 1f .............x..
0060 ff 3f c9 38 2f 00 .?.8/.
Frame 2: 102 bytes on wire (816 bits), 102 bytes captured (816 bits) on interface unknown, id 0
Ethernet II, Src: F5Networ_8f:48:09 (00:94:a1:8f:48:09), Dst: F5Networ_e7:20:8f (00:0a:49:e7:20:8f)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 1102
Internet Protocol Version 4, Src: 10.2.45.220, Dst: 10.2.108.100
Transmission Control Protocol, Src Port: 35133, Dst Port: 80, Seq: 1, Ack: 1449, Len: 0
F5 Ethernet Trailer Protocol
Original FCS: 0x9bb714fb
F5 Trailer Header - Version: 1
Magic: 0xf5deb0f5
Length: 28
Version: 1
Unknown trailer
F5 Trailer Header, Provider: 5, Type: 1
Provider: 5
Type: 1
Trailer length: 20
Version: 1
Data: 04 88 0f 78 ff 1f ff 3f c9 38 2f 00
0000 00 0a 49 e7 20 8f 00 94 a1 8f 48 09 81 00 04 4e ..I. .....H....N
0010 08 00 45 00 00 34 47 0a 40 00 40 06 45 76 0a 02 ..E..4G.@.@.Ev..
0020 2d dc 0a 02 6c 64 89 3d 00 50 6c c3 0b c0 b1 0e -...ld.=.Pl.....
0030 26 6e 80 10 ff ff 30 39 00 00 01 01 08 0a 08 23 &n....09.......#
0040 77 b2 08 0c 36 d1 9b b7 14 fb f5 de b0 f5 00 1c w...6...........
0050 00 01 00 05 00 01 00 14 00 01 04 88 0f 78 ff 1f .............x..
0060 ff 3f c9 38 2f 00 .?.8/.
Build information
$ tshark -v
TShark (Wireshark) 3.4.1 (v3.4.1-0-g1a27f405875f)
Copyright 1998-2020 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, without POSIX capabilities, with GLib 2.37.6,
with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS
3.4.17, with Gcrypt 1.8.5, with MIT Kerberos, without MaxMind DB resolver, with
nghttp2 1.39.2, without brotli, without LZ4, with Zstandard, without Snappy,
with libxml2 2.9.9.
Running on Mac OS X 10.15.7, build 19H114 (Darwin 19.6.0), with Intel(R)
Core(TM) i7-7920HQ CPU @ 3.10GHz (with SSE4.2), with 16384 MB of physical
memory, with locale en_US.UTF-8, with libpcap version 1.9.1, with GnuTLS 3.4.17,
with Gcrypt 1.8.5, with zlib 1.2.11, binary plugins supported (0 loaded).
Built using clang 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.16).