Andreas Sikkema wrote:
>Lately I am seeing (or thinking that I'm seeing) different behaviour
>in a new capture compared to a capture loaded from file (saved
>using File/Save or File/Save As). My common sense tells me this
>is impossible, but the behaviour seems to be pretty consistent.
>
>Am I seeing ghosts or is there really something out there.
>
>This mornign I had a capture decoded properly and later this
>afternoon I had [Short Frame] all over the place.
>
I noticed that I got very strange results when investing some tcp traffic (mainly H.323 traffic) with
Etheral 0.9.6 and 0.9.7 a couple of weeks ago. I got different results from time to time, and different
results when I filtered out a specific tcp connection etc.
The result with 0.9.5 was more accurate it seemed.
A couple of days later I noticed that this was due to a bug that another Ethereal user
had noticed about at the same time as I was looking into why I got the strange results.
http://www.ethereal.com/lists/ethereal-dev/200210/msg00177.html
http://www.ethereal.com/lists/ethereal-dev/200210/msg00191.html
The other problem I had was related to that most outgoing packets over a certain size had incorrect checksum
that made Ethreal not considering the packets with incorrect checksum when reassembling the tcp data.
http://www.ethereal.com/lists/ethereal-users/200210/msg00059.html
After changing TCP settings Edit/Preferences.../Protocols/TCP it seems to work much better:
-Check the validity of the TCP checksum (uncheck this option, so that desegmentation works even for packets with
incorrect checksum)
-Use relative sequence numbers (uncheck this option since there might be some problems with desegmention when using Ethereal 0.9.6 and 0.9.7).
I got [Short Frame] for several of the packets in my capture sometimes before I did those changes.
PS! I have registered a bug report on sourceforge about H323-plugin causing a crash when it fails to decode a packet.
If you need more information or a sample capture please contact me.
