Wireshark-users: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
From: Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx>
Date: Tue, 12 Jul 2016 20:11:13 +0200
Hi! (Gentoo meta distro here, but I can't tell if I should file a bug on Gentoo bugzilla or Wireshark bugzilla, so I'm trying ML first.) I just tried (after downgrade-reinstall), and the following problem does not occur with: TShark (Wireshark) 2.0.2 (SVN Rev Unknown from unknown) ... Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3, with libz 1.2.8, with GLib 2.48.1, with SMI 0.5.0, without c-ares, without ADNS, with Lua 5.1, with GnuTLS 3.4.14, with Gcrypt 1.7.1, without Kerberos, without GeoIP. Running on Linux 4.5.7-hardened-r7-160710, with locale en_GB.utf8, with libpcap version 1.7.4, with libz 1.2.8, with GnuTLS 3.4.14, with Gcrypt 1.7.1. AMD Phenom(tm) II X4 965 Processor Built using gcc 5.4.0. However, it occurs with greater versions (can't recall which one exact other --only one other version as well I tried-- I had this problem with, but I'll report it now with: TShark (Wireshark) 2.1.0 (Git Rev Unknown from unknown) ... Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3, with GLib 2.48.1, with zlib 1.2.8, with SMI 0.5.0, without c-ares, with Lua 5.1, with GnuTLS 3.4.14, with Gcrypt 1.7.1, without Kerberos, without GeoIP. Running on Linux 4.5.7-hardened-r7-160710, with locale en_GB.utf8, with libpcap version 1.7.4, with GnuTLS 3.4.14, with Gcrypt 1.7.1, with zlib 1.2.8. AMD Phenom(tm) II X4 965 Processor Built using gcc 5.4.0. --- And now the problem. I figured out something was wrong because my (primitive) program: https://github.com/miroR/tshark-streams.git wouldn't get SSL streams neither as ascii (text) nor as binary (raw) (see the script pls.). Samples for checking with the above versions are only two files from. I used these because the trace is short enough, and all is already posted: http://www.croatiafidelis.hr/foss/cap/cap-160606-dns-hr/ dump_160606_1328_g0n.pcap and dump_160606_1xxx_SSLKEYLOGFILE.txt Now, running this command with greater version than 2.0.2 of Wireshark (such as 2.1.0): tshark -o "ssl.keylog_file: dump_160606_1xxx_SSLKEYLOGFILE.txt" -r \ "dump_160606_1328_g0n.pcap" -T fields -e data -qz follow,ssl,raw,0 \ | grep -E '[[:print:]]' > dump_160606_1328_g0n_s000-ssl.raw gets me these in the syslog: Jul 12 18:01:53 g0n kernel: [158754.212925] grsec: (miro:U:/) exec of /usr/bin/tshark (tshark -o ssl.keylog_file: dump_160606_1xxx_SSLKEYLOGFILE.txt -r dump_160606_1328_g0n.pcap -T fields -e data -qz follow,ssl,raw,) by /usr/bin/tshark[bash:11975] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29776] uid/euid:1000/1000 gid/egid:1000/1000 Jul 12 18:01:53 g0n kernel: [158754.213675] grsec: (miro:U:/) exec of /bin/grep (grep --colour=auto -E [[:print:]] ) by /bin/grep[bash:11976] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29776] uid/euid:1000/1000 gid/egid:1000/1000 Jul 12 18:01:53 g0n kernel: [158754.612649] traps: tshark[11975] general protection ip:23c0292717 sp:3cdf3aec7f0 error:0 in tshark[23c026e000+43000] Jul 12 18:01:53 g0n kernel: [158754.612673] grsec: (miro:U:/) Segmentation fault occurred at (nil) in /usr/bin/tshark[tshark:11975] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29776] uid/euid:1000/1000 gid/egid:1000/1000 Jul 12 18:01:53 g0n kernel: [158754.612689] grsec: (miro:U:/) denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/tshark[tshark:11975] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29776] uid/euid:1000/1000 gid/egid:1000/1000 And surely, no SSL streams are extracted... Just some garbage, or incomplete tiny stubs instead... Or more errors... While running that same command with the version of wireshark-2.0.2 (still available in Gentoo portage), runs without errors and gets me the SSL strams decrypted, either binary (as above) or text. The (primitive) program tshark-streams.sh that I linked above, gets the streams automatically, all of them if set to, or some only, without problems with 2.0.2, SSL or simple TCP streams, and the same program --or just that command line for quick testing-- does get simple tcp streams with also wireshark greater than 2.0.2, but does *not* get the SSL with wireshark greater than 2.0.2. Does anybody else, with Gentoo or with other distro, has this problem? Also, as can be seen from the logs, I have a grsecurity-hardened kernel, it could have to do with that as well... don't know what to try next (other than keeping with the working older version ;-) but I like to be closer to the new development ;-) ...). Regards! -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr
Attachment:
signature.asc
Description: PGP signature
- Follow-Ups:
- Re: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
- From: Jeff Morriss
- Re: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
- From: Miroslav Rovis
- Re: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
- Next by Date: Re: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
- Next by thread: Re: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
- Index(es):