Wireshark · Ethereal-dev: Re: [Ethereal-dev] RE: [Ethereal-users] ethereal v0.8.14.1 and 0.8.14 on NT4SP5 grabs a packet it G

[Richard Sharpe <sharpe@xxxxxxxxxx>]

Hi,

Well, I have confirmed that the packet crashes Ethereal under Win95, and is
read OK under Linux.

I do not have a build environment for Win9X or NT, so I cannot do much
more, and I do not currently have the time to create a build environment
for Win9X or NT either.

At 01:41 PM 12/16/00 +1000, Michael Hennessy wrote:
>
>Hi all,
>
>I've got a problem with a particular packet that relaibly GPF's ethereal 
>and tethereal (on NT4). Per Gilbert's Ramirez's suggestion I'm posting the 
>packet concerned to ethereal-dev for comment....
>
>Actually, attached are two frames from a recent capture session I did - 
>frame numbers 292 and 13097- both are extracted from the same capture dump 
>(of 100,000 frames) using editcap, and one reliably GPF's my ethereal and 
>tethereal v0.8.14.1 when trying to decode it.
>
>dump file tcap3.13097 is the one that doesnt decode, whilst tcap3.292 is OK 
>- its picked purely because its the first frame in the session of the same 
>general type (ie SMBgetattr) , but doesnt display this problem - ie it 
>decodes in tethereal/ethereal without crashing.
>
>
>
>Using a combination of windump (the windows tcpdump) and a slightly 
>modified version of a script called tcpformat.pl I found, I've managed to 
>decode the bad frame to the point where I think the problem is probably in 
>the SMB decoding portion (although I havnt checked the checksums in the IP 
>and TCP headers as yet - thats the next job).
>
>The commands used to do this decoding are below and the files generated 
>from them are attached, in case it helps anyone more savvy with SMB packet 
>formats than I to spot whats up.
>
>windump -e -x -r tcap3.292 | perl tcpformat.pl > tcap3.292.tcpformat.txt
>windump -e -x -r tcap3.13097 | perl tcpformat.pl > 
>tcap3.13097.tcpformat.txt
>
>
>
>
>regards,
>
>Michael Hennessy
>------------------------------------------------------------------------  
>----------
>Excalibur Engineering Pty. Ltd.
>
>Mobile Phone No : (+61) 0411 789392
>Office Phone No. : (+61) 0249 400133
>Office Fax     No. : (+61) 0249 400266
>Email  Address    : hennessy@xxxxxxxxxxxxxxxx
>
>Postal Address    : PO Box 1088 Newcastle NSW 2300, Australia
>Street Address    : 80 Chin Chen Street, Islington,
>                              Newcastle, 2296, Australia
>------------------------------------------------------------------------  
>----------
>
>
>On Friday, December 15, 2000 11:55 PM, Gilbert Ramirez 
>[SMTP:gram@xxxxxxxxxx] wrote:
>> On Fri, 15 Dec 2000 15:44:16 +1000
>> Michael Hennessy <hennessy@xxxxxxxxxxxxxxxx> wrote:
>>
>> > The packet in question is available for testing if someone wants to 
>have a
>> > go at it - its only 153 bytes long.
>> >
>>
>> That's what we need. Either send the packet trace to ethereal-dev,
>> if it can be made public, or send it to me or another Ethereal
>> developer with instructions not to make it public.
>>
>> --gilbert
>Attachment Converted: "c:\eudora\attach\tcap3.292"
>
>Attachment Converted: "c:\eudora\attach\tcap3.13097"
>16:56:55.005498 0:d0:b7:88:43:f7 0:0:e8:cf:31:1c ip 113: 192.168.0.1.139 >
192.168.0.15.1025: P 15849027:15849086(59) ack 2777904 win 7302 (DF)
>Version: 4	Header Length: 5	Differentiated Services Field: 0x00
>Total Length: 99			Identification: 0x 69c
>Flags: 0x04
>Fragment Offset: 0			Time to Live: 128	Protocol: 6
>Header Checksum: 0x7298
>Options: 0		Padding: 1
>Source Address: 192.168.0.1		Destination Address: 192.168.0.15
>	Source Port: 139
>	Destination Port: 1025
>	Sequence Number: 15849027
>	Acknowledgement Number: 2777904
>	Header Length: 5
>	Code Bits: 24		ACK	PSH				
>	Window Size: 7302
>	Checksum: 0xb0af
>	Urgent Pointer: 0
>	Options: 00000037
>	Data: (length of 59 bytes)
>                00 00 00 37 ff 53 4d 42 08 00 00 00 00 80 00 80
...7.SMB........
>                00 00 00 00 00 00 00 00 00 00 00 00 04 08 8d 11
................
>                00 08 83 c3 0a 20 00 00 9e 36 0e d7 00 00 00 00  .....
...6......
>                00 00 00 00 00 00 00 00 00 00 00                 ...........
>-----------------------------------------
>16:59:35.477974 0:d0:b7:88:43:f7 0:0:e8:cf:35:18 ip 113: 192.168.0.1.139 >
192.168.0.14.1025: P 16779010:16779069(59) ack 2354633 win 7420 (DF)
>Version: 4	Header Length: 5	Differentiated Services Field: 0x00
>Total Length: 99			Identification: 0xe7cd
>Flags: 0x04
>Fragment Offset: 0			Time to Live: 128	Protocol: 6
>Header Checksum: 0x9167
>Options: 0		Padding: 1
>Source Address: 192.168.0.1		Destination Address: 192.168.0.14
>	Source Port: 139
>	Destination Port: 1025
>	Sequence Number: 16779010
>	Acknowledgement Number: 2354633
>	Header Length: 5
>	Code Bits: 24		ACK	PSH				
>	Window Size: 7420
>	Checksum: 0x12ab
>	Urgent Pointer: 0
>	Options: 00000037
>	Data: (length of 59 bytes)
>                00 00 00 37 ff 53 4d 42 08 00 00 00 00 80 00 80
...7.SMB........
>                00 00 00 00 00 00 00 00 00 00 00 00 04 08 f5 29
...............)
>                00 08 01 5c 0a 20 00 00 21 7c 86 10 02 00 00 00  ...\.
..!|......
>                00 00 00 00 00 00 00 00 00 00 00                 ...........
>-----------------------------------------
>

Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba