On Oct 10/24/01 15:50, Guy Harris wrote:
> > However, the regular list view in ethereal doesn't show any difference
> > between good and bad PORT packets. But TCP Stream from Tools menu
> > displays something completely different. Good packets look the same in
> > both views, but for bad packets TCP Stream view prints some garbage:
> >
> > 0 Feb 13 20:02 bussys
> >
> > preceded with two new lines. If this is true, that would explain why my
> > PORT commands don't work, but my question is to whom I can believe and
> > why do they display different stuff.
>
> What does the raw data in the hex/ASCII dump window show? Does it agree
> with the stuff that shows up in the protocol tree window (middle
> window)?
>
> If so, that's what actually went over the network, and, if that doesn't
> match what's in the TCP Stream window, there's presumably a bug in the
> TCP Stream code.
>
> If not, then there's a bug somewhere in the FTP dissector, so that it's
> not putting the right stuff into the protocol tree.
>
> In either of those presumed-bug cases, could you send us the capture
> file, so we can try to figure out what the bug is?
I realized that junk that was displayed in TCP Stream window was actualy
part of data transfered over FTP data connection.
Also, I found out what was wrong with the packets. Since this might also
help you in debugging here is a short description of the testing
environment. Gateway is running our software that was being tested and
the software is messing around with the packets.
+----------+
___| ethereal |
/ +----------+
/
+------------+ +---------+ / /======\ +------------+
| FTP Client |---| Gateway |----| router |-->INTERNET->| FTP Server |
+------------+ +---------+ \======/ +------------+
Packet #372 is a PORT command which is retransmitted in #374 and #375 is
response to that PORT command. What you don't see is that Gateway will
change response's ACK so that next time PORT command is retransmitted in
#377, although the packet is the same, SEQ number is increased by 1.
This is where the session breaks and I suspect that this correspond to
the place where TCP Stream starts printing junk.
Another thing I noticed is that when I open TCP Stream, all packets that
don't belong to that stream disappear from the main window and I
couldn't find another way to get them all displayed again except
to restart ethereal. I'm not sure if this is a bug or I am just not
familiar enough with the software.
Version I'm using is 0.8.16 (Copiled with GTK+ 1.2.3, libpcap 0.5, libz
1.1.3, UCD SNMP 4.0.1).
I hope this helps. If you need more info, please contact me.
Damir Cosic
