ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-dev: Re: [ethereal-dev] Probable serious bug in ethereal 0.7.8 and 0.7.9 under Linux

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 23 Dec 1999 15:03:34 -0800 (PST)
> I was having a similar problem with RedHat 6.1. They did something to the
> tcpdump and libpcap to allow sniffing on more than one interface at a
> time. This changes the file format for pcap and ethereal does the frezze
> thing as mentioned.

Note that Ethereal doesn't use "libpcap" to write out its capture files,
so the change to the capture file format should not, *at all*, cause
this.  When doing a live capture, we write the capture file out in
standard "libpcap" format, even on Red Hat 6.1, as we're using our own
code to write it out.

> Also, I found that the same frezzing occurs when you read a file in that
> was saved with the Redhat 6.1 tcpdump using -w.

Ethereal versions prior to 0.7.8 couldn't read those files at all.

The Wiretap library Ethereal uses to read and write capture files was
changed in 0.7.8 to make an attempt to guess whether a file is in the
bogus Red Hat format (which has a different file format but *the same
magic number*), as well as to read files from later versions of Alexey
Kuznetzov's patch (Red Hat picked up an early version that didn't change
the magic number; later patches change the magic number, and can read
capture files from standard "libpcap" - Red Hat will apparently use a
later version for a future release, as implied by their notes on bug
6773, which I filed when I discovered their screwup).

I've successfully read, with Ethereal on Solaris/SPARC, capture files
from the RH 6.1 "libpcap" (run on an RH 6.0 system), the standard
"libpcap", and Alexey's later "libpcap", with no freeze whatsoever.  Do
you have a capture file that causes Ethereal to freeze when *reading* it
(not a freeze when capturing packets, a freeze when reading in a vanilla
capture file)?  Does it still freeze if you run Ethereal with the "-n"
flag (so that the freeze isn't just a temporary blockage trying to get
an answer from a DNS server)?

> What upsets me is that Redhat didn't uprev the version number. They give
> you no clue that they changed something like this.

If I were in a bad mood I'd say that's because they had no clue to
give....
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube