Hello,
Got this bug report (199908) in the Debian Bug Tracking System.
Later on he posted a patch.
Regards,
Frederic
bash-2.05b# diff -u follow.c.~1~ follow.c
--- follow.c.~1~ 2002-12-03 20:36:10.000000000 -0500
+++ follow.c 2003-07-03 15:01:28.000000000 -0400
@@ -140,12 +140,16 @@
/* Now check if the packet is for this connection. */
memcpy(srcx, net_src->data, len);
memcpy(dstx, net_dst->data, len);
- if ((memcmp(srcx, ip_address[0], len) != 0 &&
- memcmp(srcx, ip_address[1], len) != 0) ||
- (memcmp(dstx, ip_address[0], len) != 0 &&
- memcmp(dstx, ip_address[1], len) != 0) ||
- (srcport != tcp_port[0] && srcport != tcp_port[1]) ||
- (dstport != tcp_port[0] && dstport != tcp_port[1]))
+ if (
+ ! (
+ !memcmp(srcx, ip_address[0], len) && !memcmp(dstx, ip_address[1], len) &&
+ srcport == tcp_port[0] && dstport == tcp_port[1]
+ ) &&
+ ! (
+ !memcmp(srcx, ip_address[1], len) && !memcmp(dstx, ip_address[0], len) &&
+ srcport == tcp_port[1] && dstport == tcp_port[0]
+ )
+ )
return;
/* Initialize our stream chunk. This data gets written to disk. */
--- Begin Message ---
>From fred Thu Jul 3 22:55:46 2003
Received: from localhost ([127.0.0.1])
by ari with esmtp (Exim 3.35 #1 (Debian))
id 19YB7K-0001b4-03
for <fred@localhost>; Thu, 03 Jul 2003 22:55:46 +0200
Received: from cytise.entrouvert.be [80.67.179.75]
by localhost with POP3 (fetchmail-6.2.2)
for fred@localhost (single-drop); Thu, 03 Jul 2003 22:55:46 +0200 (CEST)
Received: from mail by mail.entrouvert.be with spam-scanned (Exim)
id 19Y98R-0004Am-00
for <fpeters@xxxxxxxxxxxxx>; Thu, 03 Jul 2003 20:48:49 +0200
Received: from master.debian.org ([146.82.138.7])
by mail.entrouvert.be with esmtp (Exim)
id 19Y98Q-0004Ai-00
for <fpeters@xxxxxxxxxxxxx>; Thu, 03 Jul 2003 20:48:46 +0200
Received: from debbugs by master.debian.org with local (Exim 3.35 1 (Debian))
id 19Y97m-0003La-00; Thu, 03 Jul 2003 13:48:06 -0500
X-Loop: owner@xxxxxxxxxxxxxxx
Subject: Bug#199908: ethereal: Ethereal gets confused if you have symmetric streams
Reply-To: gsstark@xxxxxxx, 199908@xxxxxxxxxxxxxxx
Resent-From: gsstark@xxxxxxx
Original-Sender: Gregory Stark <stark@xxxxxxxxxxx>
Resent-To: debian-bugs-dist@xxxxxxxxxxxxxxxx
Resent-CC: Frederic Peters <fpeters@xxxxxxxxxx>
Resent-Date: Thu, 03 Jul 2003 18:48:05 UTC
Resent-Message-ID: <handler.199908.B.105725797112307@xxxxxxxxxxxxxxx>
X-Debian-PR-Message: report 199908
X-Debian-PR-Package: ethereal
X-Debian-PR-Keywords:
Received: via spool by submit@xxxxxxxxxxxxxxx id=B.105725797112307
(code B ref -1); Thu, 03 Jul 2003 18:48:05 UTC
Received: (at submit) by bugs.debian.org; 3 Jul 2003 18:46:11 +0000
Received: from sabre.velocet.net [216.138.209.205]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 19Y95t-0003CB-00; Thu, 03 Jul 2003 13:46:09 -0500
Received: from stark.dyndns.tv (H162.C233.tor.velocet.net [216.138.233.162])
by sabre.velocet.net (Postfix) with ESMTP
id 2B9F813916E; Thu, 3 Jul 2003 14:46:03 -0400 (EDT)
Received: from stark by stark.dyndns.tv with local (Exim 3.36 #1 (Debian))
id 19Y95n-00041n-00; Thu, 03 Jul 2003 14:46:03 -0400
From: gsstark@xxxxxxx
To: submit@xxxxxxxxxxxxxxx
X-Mailer: bug 3.3.10.2
Message-Id: <E19Y95n-00041n-00@xxxxxxxxxxxxxxx>
Sender: Gregory Stark <stark@xxxxxxxxxxx>
Date: Thu, 03 Jul 2003 14:46:03 -0400
Delivered-To: submit@xxxxxxxxxxxxxxx
Resent-Sender: Debian BTS <debbugs@xxxxxxxxxxxxxxxxx>
X-Spam-Status: No, hits=-6.3 required=5.0
tests=BAYES_10,DEBIAN_BTS_BUG,NO_REAL_NAME,X_LOOP
version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
Package: ethereal
Version: 0.9.13-1
Severity: normal
The "Follow TCP Stream" option becomes totally confused if you have two streams
with swapped port numbers.
For example, if I'm at host1 and connected to a web server on host2 at the same
time as host2 is connected to a web server on my machine, and we both happen to
pick identical source ports, then the Follow TCP Stream doesn't work properly.
What happens is it prints many many messages of the form:
bash-2.05b# ERROR in reassemble_tcp: Too many addresses!
ERROR in reassemble_tcp: Too many addresses!
ERROR in reassemble_tcp: Too many addresses!
ERROR in reassemble_tcp: Too many addresses!
And the window that shows the TCP Stream shows one side of the each
conversation instead of both sides of the same conversation.
If you think this is an uncommon occurrence, well, it would be except for NAT.
Under netfilter SNAT and DNAT both try to preserve port numbers whenever
possible. Consider the case of accessing a service, say port 80, from the
server itself, but via the external NAT'd address. Both SNAT and DNAT are
performed which results in two otherwise identical streams from
internal.sourceport <-> external.80 and external.sourceport <-> internal.80.
Note that these two otherwise identical streams are not the same stream because
while the addresses are swapped the ports are not. And only the combination of
all addresses and ports makes a stream.
In this case what Ethereal shows in the TCP Stream window is the GET request
repeated twice. It doesn't show any of the HTTP response flow.
Ethereal should key off both the addresses and ports to find matching packets
for the TCP Stream.
-- System Information
Debian Release: testing/unstable
Kernel Version: Linux stark.dyndns.tv 2.4.20 #5 Tue Apr 8 08:34:27 EDT 2003 i686 GNU/Linux
Versions of the packages ethereal depends on:
ii ethereal-commo 0.9.13-1 Network traffic analyser (common files)
ii libatk1.0-0 1.2.4-1 The ATK accessibility toolkit
ii libc6 2.3.1-17 GNU C Library: Shared libraries and Timezone
ii libglib2.0-0 2.2.2-1 The GLib library of C routines
ii libgtk2.0-0 2.2.1-6 The GTK+ graphical user interface library
ii libpango1.0-0 1.2.1-4 Layout and rendering of internationalized te
ii libpcap0.7 0.7.2-1 System interface for user-level packet captu
ii zlib1g 1.1.4-13 compression library - runtime
--- End Message ---
