Wireshark · Ethereal-dev: [Ethereal-dev] [gsstark@xxxxxxx: Bug#199908: ethereal: Ethereal gets confused if you have symmetric

Ethereal-dev: [Ethereal-dev] [gsstark@xxxxxxx: Bug#199908: ethereal: Ethereal gets confused if

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Frederic Peters <fpeters@xxxxxxxxxxxxx>

Date: Thu, 10 Jul 2003 10:58:23 +0200

Hello,

Got this bug report (199908) in the Debian Bug Tracking System.

Later on he posted a patch.


Regards,
        Frederic


bash-2.05b# diff -u follow.c.~1~ follow.c
--- follow.c.~1~	2002-12-03 20:36:10.000000000 -0500
+++ follow.c	2003-07-03 15:01:28.000000000 -0400
@@ -140,12 +140,16 @@
   /* Now check if the packet is for this connection. */
   memcpy(srcx, net_src->data, len);
   memcpy(dstx, net_dst->data, len);
-  if ((memcmp(srcx, ip_address[0], len) != 0 &&
-       memcmp(srcx, ip_address[1], len) != 0) ||
-      (memcmp(dstx, ip_address[0], len) != 0 &&
-       memcmp(dstx, ip_address[1], len) != 0) ||
-      (srcport != tcp_port[0] && srcport != tcp_port[1]) ||
-      (dstport != tcp_port[0] && dstport != tcp_port[1]))
+  if (
+      ! (
+	 !memcmp(srcx, ip_address[0], len) && !memcmp(dstx, ip_address[1], len) &&
+	 srcport == tcp_port[0] && dstport == tcp_port[1]
+	 ) &&
+      ! (
+	 !memcmp(srcx, ip_address[1], len) && !memcmp(dstx, ip_address[0], len) &&
+	 srcport == tcp_port[1] && dstport == tcp_port[0]
+	 )
+      ) 
     return;
 
   /* Initialize our stream chunk.  This data gets written to disk. */

--- Begin Message ---

>From fred  Thu Jul  3 22:55:46 2003
Received: from localhost ([127.0.0.1])
	by ari with esmtp (Exim 3.35 #1 (Debian))
	id 19YB7K-0001b4-03
	for <fred@localhost>; Thu, 03 Jul 2003 22:55:46 +0200
Received: from cytise.entrouvert.be [80.67.179.75]
	by localhost with POP3 (fetchmail-6.2.2)
	for fred@localhost (single-drop); Thu, 03 Jul 2003 22:55:46 +0200 (CEST)
Received: from mail by mail.entrouvert.be with spam-scanned (Exim)
	id 19Y98R-0004Am-00
	for <fpeters@xxxxxxxxxxxxx>; Thu, 03 Jul 2003 20:48:49 +0200
Received: from master.debian.org ([146.82.138.7])
	by mail.entrouvert.be with esmtp (Exim)
	id 19Y98Q-0004Ai-00
	for <fpeters@xxxxxxxxxxxxx>; Thu, 03 Jul 2003 20:48:46 +0200
Received: from debbugs by master.debian.org with local (Exim 3.35 1 (Debian))
	id 19Y97m-0003La-00; Thu, 03 Jul 2003 13:48:06 -0500
X-Loop: owner@xxxxxxxxxxxxxxx
Subject: Bug#199908: ethereal: Ethereal gets confused if you have symmetric streams
Reply-To: gsstark@xxxxxxx, 199908@xxxxxxxxxxxxxxx
Resent-From: gsstark@xxxxxxx
Original-Sender: Gregory Stark <stark@xxxxxxxxxxx>
Resent-To: debian-bugs-dist@xxxxxxxxxxxxxxxx
Resent-CC: Frederic Peters <fpeters@xxxxxxxxxx>
Resent-Date: Thu, 03 Jul 2003 18:48:05 UTC
Resent-Message-ID: <handler.199908.B.105725797112307@xxxxxxxxxxxxxxx>
X-Debian-PR-Message: report 199908
X-Debian-PR-Package: ethereal
X-Debian-PR-Keywords: 
Received: via spool by submit@xxxxxxxxxxxxxxx id=B.105725797112307
          (code B ref -1); Thu, 03 Jul 2003 18:48:05 UTC
Received: (at submit) by bugs.debian.org; 3 Jul 2003 18:46:11 +0000
Received: from sabre.velocet.net [216.138.209.205] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 19Y95t-0003CB-00; Thu, 03 Jul 2003 13:46:09 -0500
Received: from stark.dyndns.tv (H162.C233.tor.velocet.net [216.138.233.162])
	by sabre.velocet.net (Postfix) with ESMTP
	id 2B9F813916E; Thu,  3 Jul 2003 14:46:03 -0400 (EDT)
Received: from stark by stark.dyndns.tv with local (Exim 3.36 #1 (Debian))
	id 19Y95n-00041n-00; Thu, 03 Jul 2003 14:46:03 -0400
From: gsstark@xxxxxxx
To: submit@xxxxxxxxxxxxxxx
X-Mailer: bug 3.3.10.2
Message-Id: <E19Y95n-00041n-00@xxxxxxxxxxxxxxx>
Sender: Gregory Stark <stark@xxxxxxxxxxx>
Date: Thu, 03 Jul 2003 14:46:03 -0400
Delivered-To: submit@xxxxxxxxxxxxxxx
Resent-Sender: Debian BTS <debbugs@xxxxxxxxxxxxxxxxx>
X-Spam-Status: No, hits=-6.3 required=5.0
	tests=BAYES_10,DEBIAN_BTS_BUG,NO_REAL_NAME,X_LOOP
	version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

Package: ethereal
Version: 0.9.13-1
Severity: normal

The "Follow TCP Stream" option becomes totally confused if you have two streams
with swapped port numbers. 

For example, if I'm at host1 and connected to a web server on host2 at the same
time as host2 is connected to a web server on my machine, and we both happen to
pick identical source ports, then the Follow TCP Stream doesn't work properly.

What happens is it prints many many messages of the form:

bash-2.05b# ERROR in reassemble_tcp: Too many addresses!
ERROR in reassemble_tcp: Too many addresses!
ERROR in reassemble_tcp: Too many addresses!
ERROR in reassemble_tcp: Too many addresses!
 
And the window that shows the TCP Stream shows one side of the each
conversation instead of both sides of the same conversation.


If you think this is an uncommon occurrence, well, it would be except for NAT.
Under netfilter SNAT and DNAT both try to preserve port numbers whenever
possible. Consider the case of accessing a service, say port 80, from the
server itself, but via the external NAT'd address. Both SNAT and DNAT are
performed which results in two otherwise identical streams from
internal.sourceport <-> external.80 and external.sourceport <-> internal.80. 

Note that these two otherwise identical streams are not the same stream because
while the addresses are swapped the ports are not. And only the combination of
all addresses and ports makes a stream.

In this case what Ethereal shows in the TCP Stream window is the GET request
repeated twice. It doesn't show any of the HTTP response flow.

Ethereal should key off both the addresses and ports to find matching packets
for the TCP Stream.


-- System Information
Debian Release: testing/unstable
Kernel Version: Linux stark.dyndns.tv 2.4.20 #5 Tue Apr 8 08:34:27 EDT 2003 i686 GNU/Linux

Versions of the packages ethereal depends on:
ii  ethereal-commo 0.9.13-1       Network traffic analyser (common files)
ii  libatk1.0-0    1.2.4-1        The ATK accessibility toolkit
ii  libc6          2.3.1-17       GNU C Library: Shared libraries and Timezone
ii  libglib2.0-0   2.2.2-1        The GLib library of C routines
ii  libgtk2.0-0    2.2.1-6        The GTK+ graphical user interface library
ii  libpango1.0-0  1.2.1-4        Layout and rendering of internationalized te
ii  libpcap0.7     0.7.2-1        System interface for user-level packet captu
ii  zlib1g         1.1.4-13       compression library - runtime

--- End Message ---

Follow-Ups:
- Re: [Ethereal-dev] [gsstark@xxxxxxx: Bug#199908: ethereal: Ethereal gets confused if you have symmetric streams]
  - From: Guy Harris

Prev by Date: RE: [Ethereal-dev] RFC: Possible change in FT_BYTES dfilter synta x
Next by Date: [Ethereal-dev] [christmasboy_81@xxxxxxxx: Bug#199779: Subject: ethereal: segfault when adding filter expression]
Previous by thread: Re: [Ethereal-dev] RFC: Possible change in FT_BYTES dfilter synta x
Next by thread: Re: [Ethereal-dev] [gsstark@xxxxxxx: Bug#199908: ethereal: Ethereal gets confused if you have symmetric streams]
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$