Wireshark-users: Re: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
From: Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx>
Date: Thu, 14 Jul 2016 23:30:56 +0200
I've just posted on the bug report: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12616#c7 and since I'm not so savvy, I'm more comfortable writing to ML. I'll post to bugzilla if the case becomes clearer. On 160713-08:36+0200, Miroslav Rovis wrote: > On 160712-18:37-0400, Jeff Morriss wrote: This below: > ... > > > tshark -o "ssl.keylog_file: dump_160606_1xxx_SSLKEYLOGFILE.txt" -r \ > > > "dump_160606_1328_g0n.pcap" -T fields -e data -qz follow,ssl,raw,0 > > > \ > > > | grep -E '[[:print:]]' > dump_160606_1328_g0n_s000-ssl.raw is the exact command that I used again, but on the updated Wireshark, that contains Jeff's patch (let me repaste what I already posted on the Bugzilla for clarity): $ tshark -v TShark (Wireshark) 2.1.1-git (v2.1.1rc0-522-g6c0972b from master) Copyright 1998-2016 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3, with GLib 2.48.1, with zlib 1.2.8, with SMI 0.5.0, without c-ares, with Lua 5.1, with GnuTLS 3.4.14, with Gcrypt 1.7.1, without Kerberos, without GeoIP. Running on Linux 4.5.7-hardened-r7-160710, with locale en_GB.utf8, with libpcap version 1.7.4, with GnuTLS 3.4.14, with Gcrypt 1.7.1, with zlib 1.2.8. AMD Phenom(tm) II X4 965 Processor Built using gcc 5.4.0. $ And again > > > > > > gets me these in the syslog: it gets me same kind of lines in the syslog (the fresh, but very similar lines further below) > > > > > > > [...] > > > > > > > Jul 12 18:01:53 g0n kernel: [158754.612649] traps: tshark[11975] general > > > protection ip:23c0292717 sp:3cdf3aec7f0 error:0 in > > > tshark[23c026e000+43000] > > > > > > Jul 12 18:01:53 g0n kernel: [158754.612673] grsec: (miro:U:/) > > > Segmentation fault occurred at (nil) in > > > /usr/bin/tshark[tshark:11975] uid/euid:1000/1000 gid/egid:1000/1000, > > > parent /bin/bash[bash:29776] uid/euid:1000/1000 gid/egid:1000/1000 > > > Jul 14 22:51:43 g0n kernel: [102763.437373] grsec: (miro:U:/) exec of /usr/bin/tshark (tshark -o ssl.keylog_file: dump_160606_1xxx_SSLKEYLOGFILE.txt -r dump_160606_1328_g0n.pcap -T fields -e data -qz follow,ssl,raw,) by /usr/bin/tshark[bash:16898] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000 Jul 14 22:51:53 g0n kernel: [102773.501148] grsec: (miro:U:/) exec of /usr/bin/tshark (tshark -o ssl.keylog_file: dump_160606_1xxx_SSLKEYLOGFILE.txt -r dump_160606_1328_g0n.pcap -T fields -e data -qz follow,ssl,raw,) by /usr/bin/tshark[bash:16901] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000 Jul 14 22:51:53 g0n kernel: [102773.501846] grsec: (miro:U:/) exec of /bin/grep (grep --colour=auto -E [[:print:]] ) by /bin/grep[bash:16902] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000 Jul 14 22:51:53 g0n kernel: [102773.881845] traps: tshark[16901] general protection ip:6c00acd230 sp:3e6575a3070 error:0 in tshark[6c00aa9000+43000] Jul 14 22:51:53 g0n kernel: [102773.881865] grsec: (miro:U:/) Segmentation fault occurred at (nil) in /usr/bin/tshark[tshark:16901] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000 Jul 14 22:51:53 g0n kernel: [102773.881882] grsec: (miro:U:/) denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/tshark[tshark:16901] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000 Jul 14 22:51:58 g0n kernel: [102778.981062] grsec: (miro:U:/) exec of /usr/bin/file (file dump_160606_1328_g0n_s000-ssl.raw ) by /usr/bin/file[bash:16905] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000 Jul 14 22:52:08 g0n kernel: [102788.333959] grsec: (miro:U:/bin/cat) exec of /bin/cat (cat dump_160606_1328_g0n_s000-ssl.raw ) by /bin/cat[bash:16906] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000 Jul 14 22:52:08 g0n kernel: [102788.334509] grsec: (miro:U:/) exec of /bin/grep (grep --colour=auto ============ ) by /bin/grep[bash:16907] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000 Jul 14 22:52:12 g0n kernel: [102792.753275] grsec: (miro:U:/bin/cat) exec of /bin/cat (cat dump_160606_1328_g0n_s000-ssl.raw ) by /bin/cat[bash:16909] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000 Complete log there. As you can see from the first line in that excerpt from my syslog (... Jul 14 22:51:43 g0n kernel: [102763.437373] grsec: ...), I did use the same two files (... dump_160606_1xxx_SSLKEYLOGFILE.txt -r dump_160606_1328_g0n.pcap ...) as previously in this thread and also in the bug report. So this could be something else then. But it probably wouldn't be pertinent from me to speculate much on what it could be. At least now that I don't have any clear idea... But I'm ready to tell more about what might be needed about other things about my Gentoo system if they are relevant. Regards! -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr
Attachment:
signature.asc
Description: PGP signature
- Follow-Ups:
- References:
- [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
- From: Miroslav Rovis
- Re: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
- From: Jeff Morriss
- Re: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
- From: Miroslav Rovis
- [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
- Prev by Date: [Wireshark-users] Wireshark 2.1.1 is now available
- Next by Date: Re: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
- Previous by thread: Re: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
- Next by thread: Re: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
- Index(es):