Wireshark · Ethereal-dev: [Ethereal-dev] teathereal bug: package corrupted.

[Jonas Åberg <jonas@xxxxxxxxxxxx>]

Hi,

I've been capturing some data and later used tethereal to remove none http traffic form the captured data. However, teathereal remove abit too much from one (atleast) http transfer. The HTTP header is gone.

I produced the bug this way:
 - starting ethereal capture until 32 mb reached.

wget -r -l 3 www.svd.se

 - saved it in "sniffer 2.00x" format. (If I load the file again in ethereal and take follow tcpflow the bad transfer looks fine.)

- After saving I ran:

tethereal -F libpcap -r "large.sniff" -w "/tmp/dmm-capture-tmp.pcap" -R "http" -d "tcp.port==3128,http"

(with libpcap 0.8.3 - Transfered over a squid proxy on 3128)
loaded /tmp/dmm-capture-tmp.pcap again and looked at the same stream stream and parts of the http header was gone. I've used tcpflow 0.21 also, and it also produces atleast one flauty http package, so it isn't "follow tcp stream" that has problems.

I have cut of the error below, however, I guess you can't make much out of it. I'll keep the captured data that is on around 32mb, and if wished I can transfer it to anyone.

Best regards,
 Jonas





 Correct data - Captured
-------------------------

GET /mainpage.asp?id=19 HTTP/1.0
User-Agent: Wget/1.9.1
Host: bors.svd.se
Accept: */*
Connection: Keep-Alive
Referer: http://www.svd.se/
Cookie: ASPSESSIONIDQCQSBBAB=KEJEPIMDCHGHILHILNOAKJKG

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 03 May 2004 12:03:31 GMT
X-Powered-By: ASP.NET
Connection: keep-alive
Connection: Keep-Alive
Content-Length: 87564
Content-Type: text/html
Cache-control: private





<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
	<title>SvD N&auml;ringsliv - B&ouml;rs &amp; Finans</title>
	<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
	<meta http-equiv="content-language" content="SV">
	<meta http-equiv="refresh" content="600">
	<meta name="author" content="Svenska Dagbladet <webmaster@xxxxxx>">
	<meta name="title" content="SvD N&auml;ringsliv - B&ouml;rs &amp; Finans">
	<meta name="description" content="Svenska Dagbladet &auml;r en ledande kvalitetstidning med stark bevakning inom Nyheter, N&auml;ringsliv och Kultur.">
	<meta name="keywords" content="Nyheter, N&auml;ringsliv, Ekonomi, B&ouml;rs, Stockholm, Sweden, Sverige, Aktier, Optioner, Warrants, Fonder, fond, aktie, warranter, option, b&ouml;rsportf&ouml;lj, portf&ouml;lj">
	
	<link rel="shortcut icon" href="http://www.svd.se/images/sys/favicon/favicon.ico"; type="image/x-icon">
	<meta http-equiv="Pragma" content="no-cache">
	
	<link rel="stylesheet" href="http://www.svd.se/ssi/css/svd.css"; type="text/css">
	<link rel="stylesheet" href="http://www.svd.se/div/mallar/delphi/style.css"; type="text/css">
        <link rel="stylesheet" href="http://www.svd.se/div/mallar/delphi/delphi_pos.css"; type="text/css">
        
	<script language="Javascript">
	<!--
		function delphi_reload_image() {
			var thispage=document.location.href;
			<!-- skriptet letar upp forsta href-taggen och ersatter den med nedanstaende -->
			
			if ( thispage.indexOf("mainsweinus.asp")>-1 || thispage.indexOf("market=NSDQ")>-1 || thispage.indexOf("market=NYSE")>-1 ) {
				document.images[2].src="http://www.svd.se/images/sys/huvuden/svenska_aktier_i_usa.gif";;
			}
			else if ( thispage.indexOf("mainstart.asp")>-1 ) {
				document.images[2].src="http://www.svd.se/images/sys/huvuden/bors_finans.gif";;
			}
			else if ( thispage.indexOf("mainindex.asp")>-1 || thispage.indexOf("type=INDX")>-1 ) {
				document.images[2].src="http://www.svd.se/images/sys/huvuden/borsindex.gif";;
			}
			else if ( thispage.indexOf("maincomment.asp")>-1 ) {
				document.images[2].src="http://www.svd.se/images/sys/huvuden/borskommentarer.gif";;
			}
			else if ( thispage.indexOf("mainfund.asp")>-1 || thispage.indexOf("mainmutfunds.asp")>-1 || thispage.indexOf("mainmutfundslist.asp")>-1 ) {

.....

And so on (The whole html page is about 87k)
--------------------------------------------------

The broken transfer(same transfer) after teathereal has
had its hands on it. (The same error is found by reading
the pcap dump with tcpflow 0.21)

 Broken transfer:
-----------------

GET /mainpage.asp?id=19 HTTP/1.0
User-Agent: Wget/1.9.1
Host: bors.svd.se
Accept: */*
Connection: Keep-Alive
Referer: http://www.svd.se/
Cookie: ASPSESSIONIDQCQSBBAB=KEJEPIMDCHGHILHILNOAKJKG

.svd.se/div/mallar/delphi/delphi_pos.css" type="text/css">
        
	<script language="Javascript">
	<!--
		function delphi_reload_image() {
			var thispage=document.location.href;
			<!-- skriptet letar upp forsta href-taggen och ersatter den med nedanstaende -->
			
			if ( thispage.indexOf("mainsweinus.asp")>-1 || thispage.indexOf("market=NSDQ")>-1 || thispage.indexOf("market=NYSE")>-1 ) {
				document.images[2].src="http://www.svd.se/images/sys/huvuden/svenska_aktier_i_usa.gif";;
			}
			else if ( thispage.indexOf("mainstart.asp")>-1 ) {
				document.images[2].src="http://www.svd.se/images/sys/huvuden/bors_finans.gif";;
			}
			else if ( thispage.indexOf("mainindex.asp")>-1 || thispage.indexOf("type=INDX")>-1 ) {
				document.images[2].src="http://www.svd.se/images/sys/huvuden/borsindex.gif";;
			}
			else if ( thispage.indexOf("maincomment.asp")>-1 ) {
				document.images[2].src="http://www.svd.se/images/sys/huvuden/borskommentarer.gif";;
			}
			else if ( thispage.indexOf("mainfund.asp")>-1 || thispage.indexOf("mainmutfunds.asp")>-1 || thispage.indexOf("mainmutfundslist.asp")>-1 ) {
				document.images[2].src="http://www.svd.se/images/sys/huvuden/fonder.gif";;
			}
			else if ( thispage.indexOf("maincalendar.asp")>-1 ) {
				document.images[2].src="http://www.svd.se/images/sys/huvuden/kalendarium.gif";;
			}
			else if ( thispage.indexOf("port_")>-1 ) {
				document.images[2].src="http://www.svd.se/images/sys/huvuden/min_portfolj.gif";;
			}

....

------------------

See the HTTP header is missing and the first lines of the html.