Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 6189] New: text2pcap creates malformed packets/ frames

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 1 Aug 2011 08:25:35 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6189

           Summary: text2pcap creates malformed packets/ frames
           Product: Wireshark
           Version: 1.0.15
          Platform: Other
        OS/Version: Red Hat
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: TShark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: apohal9@xxxxxxxxxxxxxx


Build Information:
TShark 1.0.15

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.12.3, with libpcap 0.9.4, with libz 1.2.3, without POSIX
capabilities, with libpcre 6.6, with SMI 0.4.5, without ADNS, without Lua, with
GnuTLS 1.4.1, with Gcrypt 1.4.4, with MIT Kerberos.

Running on Linux 2.6.18-194.el5, with libpcap version 0.9.4.

Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-48).

--
We need to convert a hex dump written with tshark to a pcap-file to replay the
packets.
We’re capturing http-streams and write them as hex.
When we use text2pcap to convert it to pcap format, the output of text2pcap is
with no error – the packets got written successfully.

The strange thing happens, when we replay the pcap or just let tshark read the
pcap file.
The most packets are told to be malformed. Sometimes we also find f.e.
hsrp-packets.
What are we doing wrong ?

Capturing packets with: “tshark  -i eth1 –n port 443 –V –R http” (we see the
http stream/ packets)
Writing to file: “tshark  -i eth1 –n port 443 –V –R http | grep -e
"^[0-9a-f][0-9a-f][0-9a-f][0-9a-f]" > file.hex”
Converting: “text2pcap file.hex file_hex.pcap” (no errors)

Wrote packet of 10 bytes at 0
Wrote packet of 5786 bytes at 10
Wrote packet of 2896 bytes at 5796
Wrote packet of 2277 bytes at 8692
Wrote packet of 10 bytes at 10969
Wrote packet of 1981 bytes at 10979
Wrote packet of 10 bytes at 12960
Wrote packet of 4338 bytes at 12970
Wrote packet of 8000 bytes at 17308
Wrote packet of 688 bytes at 25308
Wrote packet of 3590 bytes at 25996
Read 11 potential packets, wrote 11 packets

Reading with tshark: “tshark –r file_hex.pcap”
  1   0.000000              ->              Ethernet [Malformed Packet]
  2   0.000001 b6:ee:ff:8e:e8:77 -> ed:7d:eb:72:e2:48 0xd010 Ethernet II
  3   0.000002 73:72:65:8a:3b:93 -> 3e:07:9c:ae:53:b1 0x27e2 Ethernet II
  4   0.000003 fa:93:2e:4a:68:8f -> 42:f2:2e:c9:7d:46 0x7d8a Ethernet II
  5   0.000004              ->              Ethernet [Malformed Packet]
  6   0.000005 12:ff:3f:52:de:81 -> dd:59:fd:6e:e2:48 0xb5b4 Ethernet II
  7   0.000006              ->              Ethernet [Malformed Packet]
  8   0.000007 d5:e6:75:52:95:77 -> ed:7d:db:72:db:ca 0xc0cf Ethernet II
  9   0.000008 2e:21:ca:d8:41:3e -> 8e:9f:5f:95:6e:9a 0xf728 Ethernet II
10   0.000009 a9:15:ec:dd:ae:9b -> e7:d4:72:ba:b2:d3 0x3e4e Ethernet II
11   0.000010 00:4a:ba:1a:e6:33 -> 24:8f:67:ee:96:a4 0x08c6 Ethernet II

And, of course:
“tshark –r file_hex.pcap  -V -R http” outputs nothing.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube