On Thu, 9 Oct 2003, Guy Harris wrote:
>
> On Oct 9, 2003, at 1:50 AM, Per Steinar Iversen wrote:
>
> > I am trying to use ethereal 0.9.15 to capture VoIP data, a RedHat 9
> > machine is connected to a spanned port on a Cisco 6509. This works well
> > though each packet seems to be seen twice. Ethereal identifies the
> > traffic
> > as ITU-T G.711 PCMA, that is correct. However if one uses
> > "Tools/Statistics/RTP analysis" then ethereal hangs for a while before
> > crashing, it leaves behind a file in /tmp that is always 2147483647
> > bytes
> > large, the name is typically something like
> > /tmp/ethereal_rtp_fwdNytvOO
> >
> > Is this a known problem or limitation of ethereal?
>
> There were, I think, some bugs in the RTP analysis code that caused
> crashes.
>
> The RTP analysis code was rewritten after 0.9.15 came out, and at least
> some of those bugs might have been fixed as a result; as you're running
> Linux, you might be more likely to have the tools necessary to compile
> a CVS snapshot - try downloading a snapshot from
>
> http://www.ethereal.com/distribution/nightly-builds/
>
> (get the most recent one), unpack it, run "./autogen.sh", run
> "configure", and run "make".
>
> The RTP analysis code does create temporary files in some cases; if it
> created the temporary file and crashed after that, the temporary file
> would not be removed. It's interesting that the size is 2^31-1 bytes
> long - that might be due to a bug wherein it was continuously writing
> to the file (and, as it's not using Large File Summit API's, it might
> be prevented from going past the 32-bit-signed-offset limit), or just
> due to that limit.
It tried this now and the latest ethereal does not crash - it just
complains about "Unsupported coded" and refuses to save the stream in au
format.
-psi
