> I'm using RH7.2 and trying to troubleshoot a problem I'm having
> running Ethereal. I'm getting the same symptoms using both the 0.8.18-9
> rpm that came with RH7.2 and the compiled source 0.8.20 so I think
> Ethereal is the victim and not the problem.
Not necessarily a valid conclusion - it may be an Ethereal bug present
in both 0.8.18 and 0.8.20.
> The real problem I have is I can't get any kind of error messages -
> just Segmentation fault.
You might also get a core dump file in the directory in which Ethereal
was running.
> It crashes most often when I stop capturing
Unless you're doing an "Update list of packets in real time" capture,
the capture file isn't read in until you stop capturing; if there's a
bug in a protocol dissector, it won't happen until the packets are
dissected, which doesn't happen until the capture is read in.
> but it's not the only time.
>
> Could someone give me a clue as to how to troubleshoot this?
If you have a core dump file (named "core") in the directory in which
you ran the capture, try using GDB. Use the 0.8.20 source version, as
1) you have the source to it, so GDB can give you more
information;
2) it will probably have been compiled with debugger symbol
tables (and not have the symbol tables stripped);
3) it won't run into bugs that *have* been fixed in 0.8.20.
Try running it from the top-level Ethereal source directory, so that the
core dump occurs in that directory, and you can just do
gdb ethereal core
and then do a "bt" command to get a stack trace.
> Is there a debug mode I can turn on?
No, and even if there were, it couldn't necessarily catch every single
problem - it's impossible to anticipate all the bugs.
> I'm starting it from the command line in hopes of getting some clue.
> The syslog only shows that the interface went in and out of promiscuous
> mode.
It went into promiscuous mode when Ethereal started capturing, and left
promiscuous mode when it stopped. That probably is not a direct cause
of the problem (it might be an indirect cause in the sense that, for
example, packets that trigger bugs in a dissector aren't being sent by
or received by your machine, so they'll only show up in promiscuous mode
- but that's *NOT* a reason not to use promiscuous mode, it's a reason
to track down the bug and get it fixed).
> I just noticed with the newest version there's also a syslog entry:
>
> Dec 4 17:30:28 vauus709 kernel: ethereal uses obsolete (PF_INET,SOCK_PACKET)
You're probably not running a 2.0[.x] kernel, so that mechanism is,
indeed, obsolete - there's a better mechanism in 2.2[.x] and 2.4[.x]
kernels.
However, Ethereal doesn't directly use either mechanism; it uses libpcap
to do the packet captures. With which version of libpcap is Ethereal
linked? The one that comes with RH 7.2 should use the new mechanism
(PF_PACKET,SOCK_DGRAM), as should the 0.6.2, 0.7 beta, and current CVS
versions from tcpdump.org, so you've probably linked it with an older
version.