Ethereal-users: Re: [Ethereal-users] Error! Invalid xml in c:\ProgramFiles\Ethereal\diameter/dic

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Martin Regner" <martin.regner@xxxxxxxxx>
Date: Thu, 3 Jul 2003 07:25:09 +0200
rpucket wrote:
>Actually I found that TCP was causing me problems (yes...I know...what??)
>
>Initially I disabled the diameter protocol.  Again Ethereal crashed.  So
>then I disabled everything.  Now Ethereal opened the file without crashing.
>
>So by going through a process of elimination I discovered that I only needed
>TCP disabled to open the file.  If I re-enabled TCP, Ethereal again crashes
>after processing ~20% of the file.  This is still the case whether or not
>the diameter protocol is enabled.
>
>The thing is, if I opened my other dumps, Ethereal did not crash even with
>everything enabled.


Hi,

If you disable TCP protocol all protocols running on top of TCP will also not be called from the TCP dissector. So your
experiment shows that there is probably a fault in on of the protocol dissectors for a protocol running on top of TCP, but there are a lot of them.

So instead of disabling TCP you could try to disable some higher level protocols instead (e.g. one at a time). 
You could try e.g. with disabling e.g. RPC, SMB, íSCSI and also some of the protocols you normally have in your network that
are running on top of TCP (but actually the problem could be in a dissector for a protcol that you don't have in your network - often
crashes occurs for malformed packets according to what the dissector expects).

It would also be good to find out what packet(s) seems to crash ethereal or to try to use a debugger if you have
one (e.g. opening the capture in Ethereal on linux)

Maybe you can find out for about what packet number you get the crash when opening the file in tethereal.
Then it would probably be possible to make a smaller capture file that causes the crash and
also easier to find what protocol dissectors to suspect.
You could use e.g. editcap to extract a range of packets.
Please note that it may not be enough to have just a single packet to get the crash - so start with extracting a range of packets
around the packet number that seems to cause tethereal to crash.

Do you get some kind of DrWatson-log (drwtsn32.log) or some other details when you get the crash?
I haven't used Windows XP so much so I don't know if DrWatson is available on XP.