| Bug ID |
11685
|
| Summary |
Qt Wireshark - Malformed IEEE 802.11 frames will cause packet list to appear to be double (or even triple) spaced
|
| Product |
Wireshark
|
| Version |
unspecified
|
| Hardware |
x86
|
| OS |
Mac OS X 10.10
|
| Status |
UNCONFIRMED
|
| Severity |
Minor
|
| Priority |
Low
|
| Component |
Qt UI
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Created attachment 13982 [details]
11 packet Wifi monitor mode trace with malformed frames that trigger
packet-list formatting issues
Build Information:
Version 2.1.0-458-g47172e7 (v2.1.0rc0-458-g47172e7 from unknown)
Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
libz 1.2.5, with GLib 2.36.0, with SMI 0.4.8, without c-ares, without ADNS,
with
Lua 5.2, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP,
with QtMultimedia, without AirPcap.
Running on Mac OS X 10.10.5, build 14F1021 (Darwin 14.5.0), with locale C, with
libpcap version 1.5.3 - Apple version 47, with libz 1.2.5, with GnuTLS 2.12.19,
with Gcrypt 1.5.0.
Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz (with SSE4.2)
Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
Qt Wireshark's packet-list will appear to be double-spaced or even
triple-spaced once certain types of malformed IEEE 802.11 frames are presented
to the packet-list.
Attached is an 11 frame capture file. This capture contains examples of
malformed packets that trigger the packet-list spacing issue. These particular
malformed frames were extracted from several much larger wifi monitor mode
capture files.
Frames 1-5, 7-9 and 11 trigger the packet-list to go into double-space mode.
Frames 6 and 10 trigger the packet-list to go into triple space mode.
The presence of these malformed frames in the original trace files would
trigger the double or triple space issue as soon as one of these particular
type of malformed frames was presented within the packet-list. If the first
problematic packet was frame 1000, the spacing issue will not appear until
frame 1000 is presented in the packet-list. The spacing issue will persist
once the problematic packet is no longer presented in the packet=list unless
you one trigger a file reload or simply toggle an arbitrary frame as ignored
and then unignored.
Workarounds:
Once identified, we have a couple of ways to deal with the problematic
malformed IEEE 802.11 packets.
1 - Exclude the problematic frames with a display filter:
The problematic malformed 802.11 frame numbers can be be excluded from the
packet-list using a display filter such as "!(frame.number==6 ||
frame.number==10)". This particular display filter will exclude the two frames
that trigger triple-spacing of the packet-list in the attached trace. The
problem with this technique is that you must manually reload the trace file to
force the packet-list to refresh the spacing after applying the filter. When
you force a capture file reload certain working attributes such as marked
frames, ignored frames and time references are lost.
2 - Flag the problematic frames as ignored:
The problematic malformed 802.11 frames can be given an ignore status using
Wireshark's Ignore/Unignore packet feature. The benefit of this technique is
that as soon as a packet is flagged as ignored the packet-list will be updated.
With the attached sample trace as soon as both packets 6 and 10 are marked as
ignored the packet list will switch from triple-spaced to double-spaced. Once
all 11 packets are ignored the packet list will display as single-spaced.
This packet-list spacing problem is likely triggered because the contents of
certain IEEE 802.11 fields appear to be extracted and presented to the
packet-list's Info column without adequate scrubbing or escaping. Hiding the
Info column does not stop the spacing issue from happening but deleting the
Info column does.
You are receiving this mail because:
- You are watching all bug changes.
