Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 2477] New: Illegal characters in XML output for ssh.paddin

Date: Fri, 18 Apr 2008 11:06:19 -0700 (PDT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2477

           Summary: Illegal characters in XML output for ssh.padding_string
           Product: Wireshark
           Version: 0.99.8
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: robert.e.cranfill@xxxxxxxxxx


Created an attachment (id=1709)
 --> (http://bugs.wireshark.org/bugzilla/attachment.cgi?id=1709)
Tshark capture file containing a sample SSH login which shows the problem.

Build Information:
TShark 0.99.8 (SVN Rev 24492)

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.14.6, with WinPcap (version unknown), with libz 1.2.3,
with
libpcre 7.0, with SMI 0.4.5, with ADNS, with Lua 5.1, with GnuTLS 1.6.1, with
Gcrypt 1.2.3, with MIT Kerberos.

Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2
(packet.dll version 4.0.0.1040), based on libpcap version 0.9.5.

Built using Microsoft Visual C++ 6.0 build 8804

--
The XML output using the "-T pdml" has invalid characters (non-printing
characters) in the "ssh.padding_string" field's "show" attribute, as seen in
the attached capture file (bad_ssh.1.packetdata).

I elicited the bad SSH field by starting a capture with:

   tshark -i 4 -f "port 22" -w bad_ssh.1.packetdata

and then logging in to a networked machine via SSH.

If the attached file is output to XML via the command:

   tshark -r bad_ssh.1.packetdata -T pdml >bad_ssh.1.packetdata.xml

the resulting XML can be searched for the field "ssh.padding_string". There are
several in the sample data, but the first one, in the seventh packet, has (I
hope this Bugzilla web page will allow pasting these non-printing chars; we'll
see....)

        <field name="ssh.padding_string" showname="Padding String:
\354\017A\257F\206\376NE" size="9" pos="477" show="ì\x0fA¯F†þNE"
value="ec0f41af4686fe4e45"/>

whereas the same XML produced on a Linux machine has the line

        <field name="ssh.padding_string" showname="Padding String:
\354\017A\257F\206\376NE" size="9" pos="477" show="\xec\x0fA\xafF\x86\xfeNE"
value="ec0f41af4686fe4e45"/>

Notice that the Linux output has "escaped" chars in the "show" field, whereas
the Windows output does not.

This causes much grief to my XML parser!

 - rob


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.