Ethereal-dev: [Ethereal-dev] RE: [Ethereal-users] ethereal v0.8.14.1 and 0.8.14 on NT4SP5 grab

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Michael Hennessy <hennessy@xxxxxxxxxxxxxxxx>
Date: Sat, 16 Dec 2000 13:41:15 +1000
Hi all,

I've got a problem with a particular packet that relaibly GPF's ethereal 
and tethereal (on NT4). Per Gilbert's Ramirez's suggestion I'm posting the 
packet concerned to ethereal-dev for comment....

Actually, attached are two frames from a recent capture session I did - 
frame numbers 292 and 13097- both are extracted from the same capture dump 
(of 100,000 frames) using editcap, and one reliably GPF's my ethereal and 
tethereal v0.8.14.1 when trying to decode it.

dump file tcap3.13097 is the one that doesnt decode, whilst tcap3.292 is OK 
- its picked purely because its the first frame in the session of the same 
general type (ie SMBgetattr) , but doesnt display this problem - ie it 
decodes in tethereal/ethereal without crashing.



Using a combination of windump (the windows tcpdump) and a slightly 
modified version of a script called tcpformat.pl I found, I've managed to 
decode the bad frame to the point where I think the problem is probably in 
the SMB decoding portion (although I havnt checked the checksums in the IP 
and TCP headers as yet - thats the next job).

The commands used to do this decoding are below and the files generated 
from them are attached, in case it helps anyone more savvy with SMB packet 
formats than I to spot whats up.

windump -e -x -r tcap3.292 | perl tcpformat.pl > tcap3.292.tcpformat.txt
windump -e -x -r tcap3.13097 | perl tcpformat.pl > 
tcap3.13097.tcpformat.txt




regards,

Michael Hennessy
------------------------------------------------------------------------  
----------
Excalibur Engineering Pty. Ltd.

Mobile Phone No : (+61) 0411 789392
Office Phone No. : (+61) 0249 400133
Office Fax     No. : (+61) 0249 400266
Email  Address    : hennessy@xxxxxxxxxxxxxxxx

Postal Address    : PO Box 1088 Newcastle NSW 2300, Australia
Street Address    : 80 Chin Chen Street, Islington,
                              Newcastle, 2296, Australia
------------------------------------------------------------------------  
----------


On Friday, December 15, 2000 11:55 PM, Gilbert Ramirez 
[SMTP:gram@xxxxxxxxxx] wrote:
> On Fri, 15 Dec 2000 15:44:16 +1000
> Michael Hennessy <hennessy@xxxxxxxxxxxxxxxx> wrote:
>
> > The packet in question is available for testing if someone wants to 
have a
> > go at it - its only 153 bytes long.
> >
>
> That's what we need. Either send the packet trace to ethereal-dev,
> if it can be made public, or send it to me or another Ethereal
> developer with instructions not to make it public.
>
> --gilbert

Attachment: tcap3.292
Description: Binary data

Attachment: tcap3.13097
Description: Binary data

16:56:55.005498 0:d0:b7:88:43:f7 0:0:e8:cf:31:1c ip 113: 192.168.0.1.139 > 192.168.0.15.1025: P 15849027:15849086(59) ack 2777904 win 7302 (DF)
Version: 4	Header Length: 5	Differentiated Services Field: 0x00
Total Length: 99			Identification: 0x 69c
Flags: 0x04
Fragment Offset: 0			Time to Live: 128	Protocol: 6
Header Checksum: 0x7298
Options: 0		Padding: 1
Source Address: 192.168.0.1		Destination Address: 192.168.0.15
	Source Port: 139
	Destination Port: 1025
	Sequence Number: 15849027
	Acknowledgement Number: 2777904
	Header Length: 5
	Code Bits: 24		ACK	PSH				
	Window Size: 7302
	Checksum: 0xb0af
	Urgent Pointer: 0
	Options: 00000037
	Data: (length of 59 bytes)
                00 00 00 37 ff 53 4d 42 08 00 00 00 00 80 00 80  ...7.SMB........
                00 00 00 00 00 00 00 00 00 00 00 00 04 08 8d 11  ................
                00 08 83 c3 0a 20 00 00 9e 36 0e d7 00 00 00 00  ..... ...6......
                00 00 00 00 00 00 00 00 00 00 00                 ...........
-----------------------------------------

16:59:35.477974 0:d0:b7:88:43:f7 0:0:e8:cf:35:18 ip 113: 192.168.0.1.139 > 192.168.0.14.1025: P 16779010:16779069(59) ack 2354633 win 7420 (DF)
Version: 4	Header Length: 5	Differentiated Services Field: 0x00
Total Length: 99			Identification: 0xe7cd
Flags: 0x04
Fragment Offset: 0			Time to Live: 128	Protocol: 6
Header Checksum: 0x9167
Options: 0		Padding: 1
Source Address: 192.168.0.1		Destination Address: 192.168.0.14
	Source Port: 139
	Destination Port: 1025
	Sequence Number: 16779010
	Acknowledgement Number: 2354633
	Header Length: 5
	Code Bits: 24		ACK	PSH				
	Window Size: 7420
	Checksum: 0x12ab
	Urgent Pointer: 0
	Options: 00000037
	Data: (length of 59 bytes)
                00 00 00 37 ff 53 4d 42 08 00 00 00 00 80 00 80  ...7.SMB........
                00 00 00 00 00 00 00 00 00 00 00 00 04 08 f5 29  ...............)
                00 08 01 5c 0a 20 00 00 21 7c 86 10 02 00 00 00  ...\. ..!|......
                00 00 00 00 00 00 00 00 00 00 00                 ...........
-----------------------------------------