[Sebastian Felis <felis@xxxxxxxxxxxxx>]

Hi,

I'm not sure if this mailing list is the right, but maybe you could help
out.

Currently I'm writing a wlan measurement script in perl, based on
tethereal. The script opens tethereal in a pipe and reads the dissected
packets as string in order to parse and collect some statistical data.
The pipe command of tethereal contains a huge parameter list of -z
proto,colinfo,<field>,<field> to retrieve all needed protocol fields.

While capturing wlan frames, the monitor channel is switched about 5
times a second (I use a D-Link card with atheros chip set and madwifi
driver from 2004-08-04 on a debian testing box).

>From time to time, a segmentation fault is created inside tethereal and
I have to reopen the tethereal pipe - the base of my measurement tool.

I attached a small dump file which crashes tethereal by following
minimal parameters (at least on my box). If one field is removed,
tethereal isn't crashing. According to the man page of tethereal the
amount of -z proto,colinfo parameters isn't limited. 


tethereal \
-r 2004-09-23.dump \
-l -n -R wlan \
-z proto,colinfo,wlan_mgt.tag.number,wlan_mgt.tag.number \
-z proto,colinfo,wlan_mgt.tag.interpretation,wlan_mgt.tag.interpretation
\
-z proto,colinfo,wlan.fc.subtype,wlan.fc.subtype \
-z proto,colinfo,wlan.sa,wlan.sa \
-z proto,colinfo,frame.number,frame.number


I tried to detect the SEGV by ddd/gdb, but couldn't locate it well. The
SEGV occurs in the 5-th packet while dissecting the tcp conversation by
allocating a new chunk (conversation.c:444).


Do you know any help or hints to get tethereal work well? Maybe there
are problems while switching the channels? 

Best regards

Sebastian Felis

$ gdb tethereal-2004-11-08
GNU gdb 6.1-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run -r 2004-09-23.dump -l -n -R wlan -z proto,colinfo,wlan_mgt.tag.number,wlan_mgt.tag.number -z proto,colinfo,wlan_mgt.tag.interpretation,wlan_mgt.tag.interpretation -z proto,colinfo,wlan.fc.subtype,wlan.fc.subtype -z proto,colinfo,wlan.sa,wlan.sa -z proto,colinfo,frame.number,frame.number
Starting program: /usr/local/bin/tethereal-2004-11-08 -r 2004-09-23.dump -l -n -R wlan -z proto,colinfo,wlan_mgt.tag.number,wlan_mgt.tag.number -z proto,colinfo,wlan_mgt.tag.interpretation,wlan_mgt.tag.interpretation -z proto,colinfo,wlan.fc.subtype,wlan.fc.subtype -z proto,colinfo,wlan.sa,wlan.sa -z proto,colinfo,frame.number,frame.number
[Thread debugging using libthread_db enabled]
[New Thread 1086875200 (LWP 7682)]
  1   0.000000 0.000000 00:90:4b:1b:ce:2c -> ff:ff:ff:ff:ff:ff IEEE 802.11 Probe Request[Malformed Packet]  frame.number == 1  wlan.sa == 00:90:4b:1b:ce:2c  wlan.fc.subtype == 4  wlan_mgt.tag.interpretation == ""  wlan_mgt.tag.interpretation == "Supported rates: 1.0 2.0 5.5 11.0 18.0 24.0 36.0 54.0 [Mbit/sec]"  wlan_mgt.tag.interpretation == "Supported rates: 6.0 9.0 12.0 48.0 [Mbit/sec]"  wlan_mgt.tag.interpretation == "Not interpreted"  wlan_mgt.tag.number == 0  wlan_mgt.tag.number == 1  wlan_mgt.tag.number == 50  wlan_mgt.tag.number == 221  wlan_mgt.tag.number == 186 2004-09-23 13:07:45.957187
  2   0.001414 0.001414              -> 00:09:5b:a3:ea:66 (RA) IEEE 802.11 Acknowledgement  frame.number == 2  wlan.fc.subtype == 13 2004-09-23 13:07:45.958601
  3   0.028938 0.027524 00:90:4b:1b:ce:2c -> ff:ff:ff:ff:ff:ff IEEE 802.11 Probe Request[Malformed Packet]  frame.number == 3  wlan.sa == 00:90:4b:1b:ce:2c  wlan.fc.subtype == 4  wlan_mgt.tag.interpretation == ""  wlan_mgt.tag.interpretation == "Supported rates: 1.0 2.0 5.5 11.0 18.0 24.0 36.0 54.0 [Mbit/sec]"  wlan_mgt.tag.interpretation == "Supported rates: 6.0 9.0 12.0 48.0 [Mbit/sec]"  wlan_mgt.tag.interpretation == "Not interpreted"  wlan_mgt.tag.number == 0  wlan_mgt.tag.number == 1  wlan_mgt.tag.number == 50  wlan_mgt.tag.number == 221  wlan_mgt.tag.number == 172 2004-09-23 13:07:45.986125
  4   0.075011 0.046073 00:0d:88:55:d2:05 -> ff:ff:ff:ff:ff:ff IEEE 802.11 Beacon frame[Malformed Packet]  frame.number == 4  wlan.sa == 00:0d:88:55:d2:05  wlan.fc.subtype == 8  wlan_mgt.tag.interpretation == "d-ar1"  wlan_mgt.tag.interpretation == "Supported rates: 1.0(B) 2.0(B) 5.5 11.0 [Mbit/sec]"  wlan_mgt.tag.interpretation == "Current Channel: 2"  wlan_mgt.tag.interpretation == "DTIM count 0, DTIM period 1, Bitmap control 0x0, (Bitmap suppressed)"  wlan_mgt.tag.number == 0  wlan_mgt.tag.number == 1  wlan_mgt.tag.number == 3  wlan_mgt.tag.number == 5  wlan_mgt.tag.number == 220 2004-09-23 13:07:46.032198

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1086875200 (LWP 7682)]
0x40bc0174 in mallopt () from /lib/tls/libc.so.6
(gdb) bt
#0  0x40bc0174 in mallopt () from /lib/tls/libc.so.6
#1  0x40c83940 in __after_morecore_hook () from /lib/tls/libc.so.6
#2  0xbfffde58 in ?? ()
#3  0x00000000 in ?? ()
#4  0x40c83988 in __after_morecore_hook () from /lib/tls/libc.so.6
#5  0x40c83940 in __after_morecore_hook () from /lib/tls/libc.so.6
#6  0x40c83940 in __after_morecore_hook () from /lib/tls/libc.so.6
#7  0x081b8758 in ?? ()
#8  0x00002008 in ?? ()
#9  0x40c83940 in __after_morecore_hook () from /lib/tls/libc.so.6
#10 0x40c82fcc in ?? () from /lib/tls/libc.so.6
#11 0x40c83940 in __after_morecore_hook () from /lib/tls/libc.so.6
#12 0x00000001 in ?? ()
#13 0x00002000 in ?? ()
#14 0x40bbf11d in malloc () from /lib/tls/libc.so.6
#15 0x40c83940 in __after_morecore_hook () from /lib/tls/libc.so.6
#16 0x00002000 in ?? ()
#17 0x40ae0398 in ?? () from /usr/lib/libglib-2.0.so.0
#18 0x00002000 in ?? ()
#19 0x00000000 in ?? ()
#20 0xbfffde58 in ?? ()
#21 0x40a8d367 in g_malloc () from /usr/lib/libglib-2.0.so.0
Previous frame inner to this frame (corrupt stack?)
(gdb)

Attachment: 2004-09-23.dump
Description: Binary data