On Thu, 9 Oct 2003, Guy Harris wrote:
> > On Oct 9, 2003, at 1:50 AM, Per Steinar Iversen wrote: > > > I am trying to use ethereal 0.9.15 to capture VoIP data, a RedHat 9 > > machine is connected to a spanned port on a Cisco 6509. This works well > > though each packet seems to be seen twice. Ethereal identifies the > > traffic > > as ITU-T G.711 PCMA, that is correct. However if one uses > > "Tools/Statistics/RTP analysis" then ethereal hangs for a while before > > crashing, it leaves behind a file in /tmp that is always 2147483647 > > bytes > > large, the name is typically something like > > /tmp/ethereal_rtp_fwdXXXXNytvOO > > > > Is this a known problem or limitation of ethereal? > > There were, I think, some bugs in the RTP analysis code that caused > crashes. > > The RTP analysis code was rewritten after 0.9.15 came out, and at least > some of those bugs might have been fixed as a result; as you're running > Linux, you might be more likely to have the tools necessary to compile > a CVS snapshot - try downloading a snapshot from > > http://www.ethereal.com/distribution/nightly-builds/ > > (get the most recent one), unpack it, run "./autogen.sh", run > "configure", and run "make". > > The RTP analysis code does create temporary files in some cases; if it > created the temporary file and crashed after that, the temporary file > would not be removed. It's interesting that the size is 2^31-1 bytes > long - that might be due to a bug wherein it was continuously writing > to the file (and, as it's not using Large File Summit API's, it might > be prevented from going past the 32-bit-signed-offset limit), or just > due to that limit. It tried this now and the latest ethereal does not crash - it just complains about "Unsupported coded" and refuses to save the stream in au format. -psi
