Hi,
Well, I have confirmed that the packet crashes Ethereal under Win95, and is
read OK under Linux.
I do not have a build environment for Win9X or NT, so I cannot do much
more, and I do not currently have the time to create a build environment
for Win9X or NT either.
At 01:41 PM 12/16/00 +1000, Michael Hennessy wrote:
>
>Hi all,
>
>I've got a problem with a particular packet that relaibly GPF's ethereal
>and tethereal (on NT4). Per Gilbert's Ramirez's suggestion I'm posting the
>packet concerned to ethereal-dev for comment....
>
>Actually, attached are two frames from a recent capture session I did -
>frame numbers 292 and 13097- both are extracted from the same capture dump
>(of 100,000 frames) using editcap, and one reliably GPF's my ethereal and
>tethereal v0.8.14.1 when trying to decode it.
>
>dump file tcap3.13097 is the one that doesnt decode, whilst tcap3.292 is OK
>- its picked purely because its the first frame in the session of the same
>general type (ie SMBgetattr) , but doesnt display this problem - ie it
>decodes in tethereal/ethereal without crashing.
>
>
>
>Using a combination of windump (the windows tcpdump) and a slightly
>modified version of a script called tcpformat.pl I found, I've managed to
>decode the bad frame to the point where I think the problem is probably in
>the SMB decoding portion (although I havnt checked the checksums in the IP
>and TCP headers as yet - thats the next job).
>
>The commands used to do this decoding are below and the files generated
>from them are attached, in case it helps anyone more savvy with SMB packet
>formats than I to spot whats up.
>
>windump -e -x -r tcap3.292 | perl tcpformat.pl > tcap3.292.tcpformat.txt
>windump -e -x -r tcap3.13097 | perl tcpformat.pl >
>tcap3.13097.tcpformat.txt
>
>
>
>
>regards,
>
>Michael Hennessy
>------------------------------------------------------------------------
>----------
>Excalibur Engineering Pty. Ltd.
>
>Mobile Phone No : (+61) 0411 789392
>Office Phone No. : (+61) 0249 400133
>Office Fax No. : (+61) 0249 400266
>Email Address : hennessy@xxxxxxxxxxxxxxxx
>
>Postal Address : PO Box 1088 Newcastle NSW 2300, Australia
>Street Address : 80 Chin Chen Street, Islington,
> Newcastle, 2296, Australia
>------------------------------------------------------------------------
>----------
>
>
>On Friday, December 15, 2000 11:55 PM, Gilbert Ramirez
>[SMTP:gram@xxxxxxxxxx] wrote:
>> On Fri, 15 Dec 2000 15:44:16 +1000
>> Michael Hennessy <hennessy@xxxxxxxxxxxxxxxx> wrote:
>>
>> > The packet in question is available for testing if someone wants to
>have a
>> > go at it - its only 153 bytes long.
>> >
>>
>> That's what we need. Either send the packet trace to ethereal-dev,
>> if it can be made public, or send it to me or another Ethereal
>> developer with instructions not to make it public.
>>
>> --gilbert
>Attachment Converted: "c:\eudora\attach\tcap3.292"
>
>Attachment Converted: "c:\eudora\attach\tcap3.13097"
>16:56:55.005498 0:d0:b7:88:43:f7 0:0:e8:cf:31:1c ip 113: 192.168.0.1.139 >
192.168.0.15.1025: P 15849027:15849086(59) ack 2777904 win 7302 (DF)
>Version: 4 Header Length: 5 Differentiated Services Field: 0x00
>Total Length: 99 Identification: 0x 69c
>Flags: 0x04
>Fragment Offset: 0 Time to Live: 128 Protocol: 6
>Header Checksum: 0x7298
>Options: 0 Padding: 1
>Source Address: 192.168.0.1 Destination Address: 192.168.0.15
> Source Port: 139
> Destination Port: 1025
> Sequence Number: 15849027
> Acknowledgement Number: 2777904
> Header Length: 5
> Code Bits: 24 ACK PSH
> Window Size: 7302
> Checksum: 0xb0af
> Urgent Pointer: 0
> Options: 00000037
> Data: (length of 59 bytes)
> 00 00 00 37 ff 53 4d 42 08 00 00 00 00 80 00 80
...7.SMB........
> 00 00 00 00 00 00 00 00 00 00 00 00 04 08 8d 11
................
> 00 08 83 c3 0a 20 00 00 9e 36 0e d7 00 00 00 00 .....
...6......
> 00 00 00 00 00 00 00 00 00 00 00 ...........
>-----------------------------------------
>16:59:35.477974 0:d0:b7:88:43:f7 0:0:e8:cf:35:18 ip 113: 192.168.0.1.139 >
192.168.0.14.1025: P 16779010:16779069(59) ack 2354633 win 7420 (DF)
>Version: 4 Header Length: 5 Differentiated Services Field: 0x00
>Total Length: 99 Identification: 0xe7cd
>Flags: 0x04
>Fragment Offset: 0 Time to Live: 128 Protocol: 6
>Header Checksum: 0x9167
>Options: 0 Padding: 1
>Source Address: 192.168.0.1 Destination Address: 192.168.0.14
> Source Port: 139
> Destination Port: 1025
> Sequence Number: 16779010
> Acknowledgement Number: 2354633
> Header Length: 5
> Code Bits: 24 ACK PSH
> Window Size: 7420
> Checksum: 0x12ab
> Urgent Pointer: 0
> Options: 00000037
> Data: (length of 59 bytes)
> 00 00 00 37 ff 53 4d 42 08 00 00 00 00 80 00 80
...7.SMB........
> 00 00 00 00 00 00 00 00 00 00 00 00 04 08 f5 29
...............)
> 00 08 01 5c 0a 20 00 00 21 7c 86 10 02 00 00 00 ...\.
..!|......
> 00 00 00 00 00 00 00 00 00 00 00 ...........
>-----------------------------------------
>
Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba