Ubuntu
wireshark package

Can't decode OpenBSD 5.0 pflog files properly on Ubuntu 12.04

Bug #1002142 reported by Justin Jereza on 2012-05-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	wireshark (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

Please see attached screenshot for example. tcpdump on Ubuntu 12.04 also can't decode the file properly and may be related. Please see bug # 1002138. The packets can be decoded properly by tcpdump on OpenBSD 5.0 itself. The packets can also be decoded properly by the version of Wireshark in Ubuntu 10.04.

The first 10 packets decoded by tcpdump on OpenBSD 5.0 are the following:

# tcpdump -r pflog -c 10
tcpdump: WARNING: snaplen raised from 116 to 1500
11:00:03.879369 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x120034 flags:0x8000 ether 00:1e:c1:0a:cc:e7 vend-rfc1048 DHCP:DISCOVER PR:SM+DG+NS+HN+DN+RP+YD
11:00:03.879390 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x120034 flags:0x8000 ether 00:1e:c1:0a:cc:e7 vend-rfc1048 DHCP:DISCOVER PR:SM+DG+NS+HN+DN+RP+YD
11:00:05.303412 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x120034 flags:0x8000 ether 00:1e:c1:0a:ce:27 vend-rfc1048 DHCP:DISCOVER PR:SM+DG+NS+HN+DN+RP+YD
11:00:05.303436 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x120034 flags:0x8000 ether 00:1e:c1:0a:ce:27 vend-rfc1048 DHCP:DISCOVER PR:SM+DG+NS+HN+DN+RP+YD
11:00:06.074715 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x120034 flags:0x8000 ether 00:1e:c1:0a:cc:e7 vend-rfc1048 DHCP:DISCOVER PR:SM+DG+NS+HN+DN+RP+YD
11:00:06.074746 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x120034 flags:0x8000 ether 00:1e:c1:0a:cc:e7 vend-rfc1048 DHCP:DISCOVER PR:SM+DG+NS+HN+DN+RP+YD
11:00:10.781760 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x120034 flags:0x8000 ether 00:1e:c1:0a:ce:27 vend-rfc1048 DHCP:DISCOVER PR:SM+DG+NS+HN+DN+RP+YD
11:00:10.781785 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x120034 flags:0x8000 ether 00:1e:c1:0a:ce:27 vend-rfc1048 DHCP:DISCOVER PR:SM+DG+NS+HN+DN+RP+YD
11:00:11.552526 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x120034 flags:0x8000 ether 00:1e:c1:0a:cc:e7 vend-rfc1048 DHCP:DISCOVER PR:SM+DG+NS+HN+DN+RP+YD
11:00:11.552550 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x120034 flags:0x8000 ether 00:1e:c1:0a:cc:e7 vend-rfc1048 DHCP:DISCOVER PR:SM+DG+NS+HN+DN+RP+YD

Revision history for this message

Justin Jereza (justinjereza) wrote on 2012-05-21:

wireshark.jpg Edit (246.7 KiB, image/jpeg)

Revision history for this message

Balint Reczey (rbalint) wrote on 2012-05-21:

Could you please attach a sample capture file?

Revision history for this message

Evan Huus (eapache) wrote on 2012-05-21:

Please set the status back to 'New' when you provide a sample capture file.

Thanks
Evan

Changed in wireshark (Ubuntu):
status:	New → Incomplete

Revision history for this message

Justin Jereza (justinjereza) wrote on 2012-05-22:

pflog-truncated Edit (32.0 KiB, application/octet-stream)

I've attached a truncated pflog file. Is this sufficient?

Changed in wireshark (Ubuntu):
status:	Incomplete → New

Revision history for this message

Evan Huus (eapache) wrote on 2012-05-22:

The attached file opens fine on Wireshark 1.6.7 on Windows 7. I haven't tried it on Ubuntu yet, but I'm leaning towards a libpcap bug, since that's the only significant difference between Wireshark on Ubuntu and Wireshark on Windows (aside from GTK, which is rather obviously unrelated).

Revision history for this message

Evan Huus (eapache) wrote on 2012-05-23:

This bug was already reported and fixed upstream at [1]. Wireshark as built from current SVN decodes the sample correctly.

Ubuntu will automatically pick up the fix when Wireshark releases 1.8 and we sync it in from Debian.

If you want the fix in Precise, you can manually run a Wireshark development version, or you can ask the Wireshark devs to backport the fix into the stable 1.6 stream. Once there's a 1.6 release with the fix, you can ask the Ubuntu devs to pull the updated 1.6 package from Debian via an SRU [2]. Precise will not be receiving any 1.8 Wireshark packages, as they will not qualify for an SRU.

Marking this bug as "Fix Committed" to denote that there is a known fix available upstream, but it has not made it into Ubuntu yet.

Thanks,
Evan

[1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6115
[2] https://wiki.ubuntu.com/StableReleaseUpdates

Changed in wireshark (Ubuntu):
status:	New → Fix Committed

Revision history for this message

Justin Jereza (justinjereza) wrote on 2012-05-23:

Thanks.

Curious how it works on Wireshark 1.6.7 on Windows but not on Ubuntu 12.04. In any case, it appears you're right. I just checked the trunk-1.6 dissector code[1] and it hasn't been patched yet.

[1] http://anonsvn.wireshark.org/viewvc/trunk-1.6/epan/dissectors/packet-pflog.c?view=markup