On Wednesday 27 August 2008 11:52:18 Christoph Biedl wrote:
> Package: wireshark
> Version: 1.0.2-3
> Severity: normal
>
> "TCP Port numbers reused" happens every now and then, especially if
> the capture is run over a longer time and the client OS does not use a
> wide range of local ports.
>
> Now I noticed that at least for HTTP the extremely useful "Follow TCP
> stream" function ignores all data in the second TCP stream. This
> hides potentially interesting data.
I'd expect this as behavior as this are indeed 2 unrelated TCP streams that
just happen to use the same ports "by accident".
The operation is called "Follow TCP stream" not "Follow TCP streams" ;-)
Joost
> How to repeat
> -------------
>
> Use the following Perl script that does two HTTP GET request using the
> same local port number. Insert a web server in the $host variable,
> and capture the traffic.
>
> -----------------------------------------------------------
> #!/usr/bin/perl -w
>
> use IO::Socket;
>
> use strict;
>
> my $host = 'a.web.server';
>
> for my $i (1..2) {
> my $sock = new IO::Socket::INET (
> PeerAddr => $host,
> PeerPort => 80,
> Proto => 'tcp',
> LocalPort => 9999,
> ReuseAddr => 1,
> ) || die ("Cannot create socket: $!.\n");
>
> print $sock
> "GET / HTTP/1.0\r\n" .
> "Host: $host\r\n" .
> "X-Round: $i\r\n" .
> "\r\n";
> while (defined (my $line = <$sock>)) {
> ;
> }
> undef $sock;
> last if ($i == 2);
> sleep (1);
> }
> exit 0;
> -----------------------------------------------------------
>
> Open the capture file in wireshark and select "Follow TCP stream".
>
> Expected behaviour: wireshark shows both request/response pairs.
>
> Seen behaviour: wireshark always only shows the first pair, identified
> by the "X-Round: 1" header. Selecting a packet of the second pair
> before doing the "Follow TCP stream" does not help.
>
> -- System Information:
> Debian Release: lenny/sid
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
>
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages wireshark depends on:
> ii libadns1 1.4-0.1 Asynchronous-capable DNS
> client li ii libatk1.0-0 1.22.0-1 The ATK
> accessibility toolkit ii libc6 2.7-13 GNU C
> Library: Shared libraries ii libcairo2 1.6.4-6 The
> Cairo 2D vector graphics libra ii libcomerr2 1.41.0-3
> common error description library ii libgcrypt11 1.4.1-1
> LGPL Crypto library - runtime libr ii libglib2.0-0 2.16.4-2
> The GLib library of C routines ii libgnutls26 2.4.1-1
> the GNU TLS library - runtime libr ii libgtk2.0-0
> 2.12.11-3 The GTK+ graphical user interface ii libkrb53
> 1.6.dfsg.4~beta1-3 MIT Kerberos runtime libraries ii libpango1.0-0
> 1.20.5-1 Layout and rendering of internatio ii libpcap0.8
> 0.9.8-5 system interface for user-level pa ii libpcre3
> 7.6-2.1 Perl 5 Compatible Regular Expressi ii
> libportaudio2 19+svn20071022-2 Portable audio I/O - shared librar
> ii wireshark-common 1.0.2-3 network traffic analyser
> (common f ii zlib1g 1:1.2.3.3.dfsg-12 compression library
> - runtime
>
> Versions of packages wireshark recommends:
> ii gksu 2.0.0-5 graphical frontend to su
>
> wireshark suggests no packages.
>
> -- no debconf information
--
homepage: http://damad.be/joost
photo/blog: http://damad.be/joost/blog
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
