I've been fortunate enough to have recorded some traffic that causes ethereal
0.8.7 to die. I know that one of the big difficulties in debugging is
repeatability... These capture files should help whoever is working on these
kinds of problems. I'm using ethereal 0.8.7 compiled on both linux and openbsd.
All captures are done with update and scrolling enabled, and auto dns disabled.
Both files can be found in http://research-cistw.saic.com/ethereal
ether4 - does not capture or load ok (cores)
Was extracted from a larger file that if tcpreplayed and captured with
capture filter (!port 139), all subsequent captures (with or without filters)
work fine. This sample does not have this characteristic, probably because
filtering port 139 results in no packets captured.
ether3 - udp that captures ok (loading directly stalls briefly but works also)
but locks up and eventually cores when "dns" is entered into the filter window.
Lastly, some comments.. When selecting the follow tcp stream, a magic filter
rule appears in the "filter window" and the display window pops up. May I
suggest that the display window have its own "filter" window? That would
eliminate quite a bit of hassle that happens when following one stream, and
then having to put the original filter rule back in and locate the next packet
to do a follow stream on. It's especially annoying when, and I know this will
come as a shock, when follow stream shows the wrong data. I haven't quite
nailed that one down as repeatable, and it may have been something fixed since
0.8.4, but I think it has something to do with it following the wrong stream
when there's a display filter in place. (I would select a telnet packet on
port 23 and the stream that it followed would be a SMB transmission on port 139
with the _filter rule_ specifying 139 instead of 23).
Being able to open up a "follow" window and play with its rule would also be
helpful if for example I only wanted to see one side of the conversation.
Also, in the follow stream window it appears that unprintable characters (e.g.
as part of the escape codes for screen operations) are there, but not
displayed. I'm not sure this is the reason, but I've had some difficulty
pasting this into other windows (particularly because there is no "save"
feature). Perhaps in addition to ascii a "printable ascii", or someday maybe
a "terminal emulated" window that I suppose would have to be animated.
Thanks
ps: was working with a client and he started peering over my shoulder to see
ethereal. He asked if it was something my company had bought. Nope, it's an
open source program. He was amazed that I'd just "gotten it off the net".
Definately much better than certain overpriced products from a certain company
whose initials are NAI.
