Ethereal-users: Re: [ethereal-users] Ethereal hangs when live capture started

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Gerald Combs <gerald@xxxxxxxx>
Date: Tue, 11 Jan 2000 15:41:23 -0600 (EST)
On Tue, 11 Jan 2000, Gerd Schering wrote:

> On Tue, 11 Jan 2000, you wrote:
> > 
> > Dear all,
> > 
> > I just installed the Ethereal 0.8.0.
> > Every time I start real time capture, the Ethereal hangs, without any error messages reported, I can only see am empty "Capture/Playback" windows.  I did installed the patched libpcap for Redhat.  Does anyone know what is happening?
> > 
> > My software config is :
> > Redhat 6.0 
> > Ethereal 0.8.0 DL from Henri Gomez
> > gtk+-devel-1.2.1-1 
> > glibc-devel-2.1.1-6
> > libpcap-0.4-10ethereal 
> > perl-5.00503-2
> > 
> 
> I have exactly the same problem with ethereal-8.0.1.
> Moreover, when when different ethereal windows i.e main window +
> capture/playback overlap and I try move the upper one, the formerly overlaped
> region is left blank. 

There are two known causes for this behavior.  The most common problem is
that the Linux version of Libpcap doesn't return control to the calling
application when the network is idle.  This problem reveals itself
when you run 'strace' on Ethereal.  A broken libpcap calls recvfrom()
without first checking to see if the socket has any incoming data,
causing it to block until some traffic shows up:

30677 08:30:30 poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}], 2, 0) = 0
30677 08:30:30 recvfrom(8, "\0\20{\357;\333\10\0 }\200\302\10\0E\0\0(\22\23@\0\377"..., 65535, 0x20, {sa_family=17, sa_data="\10\0\0\0\0\2\0\1\3\6\10\0 }"}, [20]) = 60

A "fixed" libpcap calls select() first, which allows libpcap to return if there
isn't an incoming data:

30914 09:05:48 poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}], 2, 0) = 0
30914 09:05:48 select(9, [8], NULL, NULL, {0, 250000}) = 1 (in [8], left {0, 250000})
30914 09:05:48 recvfrom(8, "\10\0 }\200\302\0\20{\357;\333\10\0E\10\5\334-\323@\0\363"..., 65535, 0x20, {sa_family=17, sa_data="\10\0\0\0\0\2\0\1\3\6\0\20{\357"}, [20]) = 1514

The only way to fix this is to install an updated libpcap _and_ recompile
Ethereal, since libpcap is typically linked statically.


The other problem appears to be limited to the libpcap that comes with
RedHat 6.1.  When a capture filter wasn't specified, Ethereal would pass
an NULL pointer to libpcap.  This behavior is incompatible with the
RH 6.1 libpcap package and was fixed in Ethereal 0.8.1.  A workaround
for earlier versions of Ethereal is to use a space (or any other
nothing-but-not-really-empty string) as a filter.