f5ethtrailer: legacy format, low noise only, no vip name trailers no longer detected
Summary
In the specific case where an f5ethtrailer is legacy format (BIG-IP 13.x or earlier), has only low noise, and does not have a VIP name, the trailer will not be detected. This is a regression new to Wireshark 3.4. It was previously detected in Wireshark 3.0 and 3.2.
Steps to reproduce
$ tshark -v
TShark (Wireshark) 3.4.1 (v3.4.1-0-g1a27f405875f)
...
$ tshark -r lownoise.pcap -Y "frame.number eq 2" -O f5ethtrailer -x
Frame 2: 71 bytes on wire (568 bits), 71 bytes captured (568 bits) on interface unknown, id 0
Ethernet II, Src: MS-NLB-PhysServer-01_23:45:01:fe (02:01:23:45:01:fe), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
802.1Q Virtual LAN, PRI: 3, DEI: 0, ID: 4095
Address Resolution Protocol (request)
0000 ff ff ff ff ff ff 02 01 23 45 01 fe 81 00 6f ff ........#E....o.
0010 08 06 00 01 08 00 06 04 00 01 02 01 23 45 01 fe ............#E..
0020 7f 14 02 fe 00 00 00 00 00 00 7f 14 01 41 00 00 .............A..
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 01 05 01 01 00 00 00 .......
$ tshark -v
TShark (Wireshark) 3.0.6 (v3.0.6-0-g908c8e357d0f)
...
$ tshark -r ./lownoise.pcap -Y "frame.number eq 2" -O f5ethtrailer -x
Frame 2: 71 bytes on wire (568 bits), 71 bytes captured (568 bits) on interface 0
Ethernet II, Src: MS-NLB-PhysServer-01_23:45:01:fe (02:01:23:45:01:fe), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
802.1Q Virtual LAN, PRI: 3, DEI: 0, ID: 4095
Address Resolution Protocol (request)
F5 Ethernet Trailer Protocol
Low Details
Type: 1
Trailer length: 5
Version: 1
Ingress: True (IN)
Slot (1-based): 1
TMM (0-based): 0
VIP:
0000 ff ff ff ff ff ff 02 01 23 45 01 fe 81 00 6f ff ........#E....o.
0010 08 06 00 01 08 00 06 04 00 01 02 01 23 45 01 fe ............#E..
0020 7f 14 02 fe 00 00 00 00 00 00 7f 14 01 41 00 00 .............A..
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 01 05 01 01 00 00 00 .......
What is the current bug behavior?
f5ethtrailers are not detected under specific conditions
What is the expected correct behavior?
The f5ethtrailers should be detected and dissected
Sample capture file
Build information
$ tshark -v
TShark (Wireshark) 3.4.1 (v3.4.1-0-g1a27f405875f)
Copyright 1998-2020 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, without POSIX capabilities, with GLib 2.37.6,
with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS
3.4.17, with Gcrypt 1.8.5, with MIT Kerberos, without MaxMind DB resolver, with
nghttp2 1.39.2, without brotli, without LZ4, with Zstandard, without Snappy,
with libxml2 2.9.9.
Running on Mac OS X 10.15.7, build 19H114 (Darwin 19.6.0), with Intel(R)
Core(TM) i7-7920HQ CPU @ 3.10GHz (with SSE4.2), with 16384 MB of physical
memory, with locale en_US.UTF-8, with libpcap version 1.9.1, with GnuTLS 3.4.17,
with Gcrypt 1.8.5, with zlib 1.2.11, binary plugins supported (0 loaded).
Built using clang 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.16).