Hi,
Ethereal 0.8.8 (and the current CVS) exhibit a bug whereby they
dissect & display data that isn't really in the packet.
Take a look at the enclosed capture file. If packet 117 is displayed
first then the TCP content should just be "Continuation data" but if
packet 115 is displayed first and then 117 is displayed the netbios
and session stuff from packet 115 is still being seen when 117 is
displayed.
A crude fix for this is to clear the buffer before getting the frame
data.
Adding the following line before the call to wtap_seek_read() in
select_packet() does the trick.
memset(cf->pd, 0, sizeof(cf->pd));
Obviously, a better fix would be to find where the netbios/smb
dissector is getting the length of the captured data wrong and fix
that but I haven't had time to look into that yet. On the other hand,
clearing the buffer doesn't take very long and may stop other spurious
output.
I hope this is helpful and many thanks to you all for developing such
a way cool program.
Mark
PS. I haven't been able to enter & save any filter strings in the
filter dialog (gtk version 1.2.6) is it broken?
Attachment:
rook-divvy-lark2.gz
Description: Binary data