This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all,

I'm using wireshark to decode traffic captures in order to login requests/answers from a web service.

My current version is:

bash-3.00$ /usr/local/bin/tshark -v TShark 1.6.4 (SVN Rev Unknown from unknown)

Copyright 1998-2011 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GLib 2.25.13, with libpcap 1.1.1, with libz 1.2.5, without POSIX capabilities, without libpcre, without SMI, without c-ares, with ADNS, without Lua, without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.6, without Kerberos, with GeoIP.

Running on SunOS 5.10, with libpcap version 1.1.1, with libz 1.2.3.

Built using gcc 3.4.6.

The core dump occurs for most of my capture files (snoop on solaris 10).

For example:

bash-3.00$ /usr/local/bin/tshark -o tcp.check_checksum:false -r teste.cap -V -d tcp.port==10010,http

(Ultra cool dissecting for some thousands http posts)

And then:

[Malformed Packet: T.38] [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)] [Message: Malformed Packet (Exception occurred)] [Severity level: Error] [Group: Malformed]

Bus Error (core dumped)

Anyone has any ideas on how to try to solve this problem? Even if the dump contains some malformed packets, is it possible to ignore and continue?

Thanks!

BR AJ

asked 13 Apr '12, 11:00

Alexandre%20Vieira's gravatar image

Alexandre Vi...
1112
accept rate: 0%


The core dump means there's a bug in that version of TShark. TShark doesn't deliberately panic when it sees malformed packets; there's probably code that's not being sufficiently cautious about the packet data it's parsing.

If you have a debugger (gdb or dbx or lldb or...), try running the debugger with the TShark binary and the core dump file, and get a stack trace from the crash. Then file a bug on the Wireshark bugzilla, and attach the stack trace. (Do NOT attach the core dump file - it's large and won't be useful except on a Solaris 10 machine with the same instruction set architecture and the same binary of TShark, and most of us probably won't have that.)

permanent link

answered 13 Apr '12, 11:38

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

In most of the cases I use tcpdump, tshark or wireshark. But these tools were not sufficient in all cases. So I looked out for other tools and it seems I found a very cool console based network sniffer for analyzing HTTP traffic on linux: justniffer.

permanent link

answered 11 May '12, 03:23

Augustyn2's gravatar image

Augustyn2
1
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×293
×22
×8
×4

question asked: 13 Apr '12, 11:00

question was seen: 4,444 times

last updated: 11 May '12, 03:23

p​o​w​e​r​e​d by O​S​Q​A