Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 1026] New: Invalid characters in PDML output when a packet

Date: Tue, 1 Aug 2006 19:11:33 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1026

           Summary: Invalid characters in PDML output when a packet
                    containing "aim.sst.icon" is found (a AOL AIM message)
           Product: Wireshark
           Version: 0.99.2
          Platform: PC
               URL: http://www.redali.com/bugs/wireshark/aim.sst.icon/
        OS/Version: Linux
            Status: NEW
          Severity: Blocker
          Priority: Medium
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: paul.blankenbaker@xxxxxxxxxx


Hello:

We've run across an issue in the PDML output from tshark v0.99.2
(Linux build) when we include the "-T pdml" option AND a packet
containing a proto type of "aim_sst" ("AIM Server Side Themes,
Download Buddy Icon Reply") is encountered.

The XML file being created is not valid (contains illegal characters)
and can't be used by standard XML tools (firefox won't display it and
xlstproc won't process it).

The command being run is:

   tshark -t r -r /tmp/aim.sst.icon.cap -T pdml

The aim.sst.icon.cap file was the result of a previous capture.

The issue appears to be in the output of the "show" attribute of the
"aim.sst.icon" field (I've tried to show a basic trace below):

  <packet ...
   ...
   <proto name="aim_sst" ...
     ...
     <field name="aim.sst.icon" ... show="RANDOM BYTES"/>

The value (shown as "RANDOM BYTES") changes in a random fashion on
each run even though I'm processing the same file (I'd guess
unitialized memory).

I will attempt to attach the following files to this bug report:

  aim.sst.icon.txt - The text of this bug report.

  aim.sst.icon.cap - The capture file which cause the problem.

  aim.sst.icon.pdml - The PDML output file generated (NOTE: Firefox probably
will display this as a plain text file as the web server doesn't indicate that
its XML).

The above three files can also be found at:

  http://www.redali.com/bugs/wireshark/aim.sst.icon/


The following shows the version of tshark I'm running (plus build and OS info):

[root@probe tmp]# tshark -v
TShark 0.99.2

Copyright 1998-2006 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.6.6, with libpcap 0.8.3, with libz 1.2.2.2,
with libpcre 5.0, with Net-SNMP 5.2.1.2, with ADNS, without Lua.

Running with libpcap version 0.8.3 on Linux 2.6.17-1.2142_FC4.
[root@probe tmp]#


The following demonstrates how the value keeps changing between each
run (the 'show' attribute shown below changes between runs and is non-ASCII):

[root@probe tmp]# tshark -t r -r /tmp/aim.sst.icon.cap -T pdml | grep
'aim.sst.icon\"'
    <field name="aim.sst.icon" showname="Icon: &lt;MISSING&gt;" size="0"
pos="101" show="  +-- /x"/>
[root@probe tmp]# tshark -t r -r /tmp/aim.sst.icon.cap -T pdml | grep
'aim.sst.icon\"'
    <field name="aim.sst.icon" showname="Icon: &lt;MISSING&gt;" size="0"
pos="101" show="  1-4/dj"/>
[root@probe tmp]#


KEYWORDS (for people searching): pdml, xml, xsl, aim, aim.sst.icon


Thanks for taking a look,
Paul


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.