This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

A problem with parsing SCTP chunk with more than 1 Diameter messages

0
1

Hi all,

I encountered a problem when analyzing a SCTP packet capture file. There are 2 Diameter messages in one SCTP chunk, but wireshark can only parse and display the first one. I can locate the second message in the bottom binary window but can't see it in the middle packet detail window.

I found some specification say there couldn't be more than 1 message in one chunk. But I found there actually has 2 diameter messages in one chunk. Chunk size is the size of the two messages. Is it an assembling errors or the implementation just like it?

Anyone encountered similar issue before? Thanks for your discussion and sharing.

BRs, Bin.

asked 11 Feb '14, 22:42

ryan%20liu's gravatar image

ryan liu
1121
accept rate: 0%


One Answer:

0

Well I've never seen that before but anyway I know Wireshark won't handle it. Wireshark expects only one Diameter message per SCTP chunk. (Having one message or PDU per chunk is half the point of SCTP--no more of that "this is just a byte stream" mess you have with TCP.)

answered 12 Feb '14, 05:58

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Hi Jeff,

Thanks for your info. I saw in the specification that no more than one messages can be contained in a SCTP chunk. But we captured this kind of SCTP packets which contain more than 1 Diameter messages in one SCTP chunk. The sender use LKSCTP to send the SCTP.

I think then sender must have used the bundling function of SCTP to assemble multiple messages into one packet. but it should assemble each message into each chunk, not multiple messages into one chunk.

I don't know it is a mandatory constraint or just some suggestion about bundling mechanism.

It seems not so much info on internet or specification.

Do you have any further comments on this case.

Thanks a lot.

BRs, Ryan.

(12 Feb '14, 07:07) ryan liu
1

Actually I'd say that the sender probably called send() with one big buffer (with 2 messages in it). SCTP bundling is a function of SCTP (not the application) and that only involves bundling 2 or more chunks together (each chunk is created by a send()/sendmsg() call).

I use LKSCTP regularly and I never saw such a behavior.

BTW can the receiver of such an odd pair of messages actually process them? I would doubt many implementations would but who knows...

(12 Feb '14, 07:36) JeffMorriss ♦

Hi Jeff,

Thanks for your advanced info. I pretty think that we have some synchronized issue in the sender code. can you take a look at below code piece:

======== synchronized (outBuffer) { outBuffer.flip(); }

writeOutBuffer(); // below is the method

outBuffer.notify();

protected void writeOutBuffer() throws IOException{ ... MessageInfo messageInfo = MessageInfo.createOutgoing(null, stream); sc.send(outBuffer.getByteBuffer(), messageInfo); ... }

==============================

I think the writeOutBuffer() send the data in the buffer. And in our case, sometime it has 2 diameter messages in the buffer. But how the 2 messages come into the buffer?

We have a synchronized of outBuffer, but the scope maybe too small, I think it should contain the writeOutBuffer(). Because it could happen the second message come into the buffer when the writeOutBuffer() is undergoing.

Thanks for your suggestion.

BRs, Ryan.

(12 Feb '14, 21:47) ryan liu

Your analysis sounds reasonable to me. But I'm not going to be much help debugging what looks to me like Java: I think the most I've done with Java was a "hello world" program in college.

(BTW if the Answer above answers your question, please be sure to Accept it by clicking the checkmark--that way your question won't show up in the "unanswered questions" list.)

(13 Feb '14, 07:35) JeffMorriss ♦

Thanks Jeff,

These two days I am working on fix this issue and now we can send messages one by one in application layer, previously our application maybe send multiple messages during a send process.

After this fix, I captured the packet and saw there are no more than one message in one chunk. But there are no bundling as well. Our traffic is big and I think the LKSCTP should use bundling to save the efficiency. Is there any configuration or some condition need to qualify? Could you please give some comments.

Thanks again.

BRs, Ryan.

(18 Feb '14, 19:13) ryan liu

Hmmm, yeah... My experiences with LKSCTP are, in general, not very good. I, too, have seen it pounding away thousands of single-chunk packets per second with barely any bundling.

That being said, I do have some vague memory of seeing bundled packets out of LKSCTP more recently (this would be Redhat EL/CentOS 6) although that may have been more because of the poor network conditions (i.e., the bundling actually happened because SCTP was not allowed to put packets on the wire earlier due to congestion).

Unfortunately the only advice I could give would be to try a more modern LKSCTP (assuming that switching to, say, FreeBSD is out of the question ;-) ).

(19 Feb '14, 07:02) JeffMorriss ♦
showing 5 of 6 show 1 more comments