Modify

Opened 5 years ago

Last modified 4 years ago

#12597 new defect

Ulogd creates pcap files that could not be loaded with Wireshark

Reported by: steffenmail@… Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:

Description

When I try to load pcap files created by ulogd with the pcap plugin, it says that the len field is corrupted.
Opening the files with tcpdump works.

The bug was reported as bug 1528 to wireshark (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1528)

But the fix reported there and also here (http://bugzilla.netfilter.org/show_bug.cgi?id=535)
didn't worked for me.

Which is no wonder. It changes the content of the caplen and not the len field.

I debugged the issue and found out that the following patch fixes the issue:

--- ulogd-1.24-orig/pcap/ulogd_PCAP.c 2005-11-25 20:58:25.000000000 +0100
+++ ulogd-1.24/pcap/ulogd_PCAP.c 2012-11-28 20:18:00.374978140 +0100
@@ -132,7 +132,7 @@

struct pcap_sf_pkthdr pchdr;


pchdr.caplen = GET_VALUE(1).ui32;

  • pchdr.len = GET_VALUE(2).ui32;

+ pchdr.len = GET_VALUE(2).ui16;

if (GET_FLAGS(3) & ULOGD_RETF_VALID

&& GET_FLAGS(4) & ULOGD_RETF_VALID) {

Attachments (1)

004-fix-pcap-corruption.patch (455 bytes) - added by anonymous 5 years ago.

Download all attachments as: .zip

Change History (2)

Changed 5 years ago by anonymous

comment:1 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.