Ethereal-users: Re: [ethereal-users] Buglet in Ethereal 0.8.9

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Sun, 18 Jun 2000 00:49:11 -0700
On Sat, Jun 17, 2000 at 11:30:57PM -0700, Guy Harris wrote:
> On Sat, Jun 17, 2000 at 11:02:44PM +0200, Erwin Hogeweg wrote:
> > I think the packet filter function has a small bug. If filtering on a
> > byte combination in the data part of a tcp/ip packet also 'plain' tcp/ip
> > packages (TCP ACK, ARP, etc) are shown.
> 
> What's a filter expression that shows the problem when used with your
> capture file?

The filter, as per your mail to me, was

	frame[54] == 47:49:4f:50

(i.e., checking for GIOP packets) - and every single frame in the
capture has those four bytes at an offset of 54, even the payload-less
TCP and ARP packets!

The payload-less TCP and ARP packets don't *really* have that much data
in them; however, they're padded to 60 bytes to the minimum Ethernet
frame size, and the padding data appears to include "GIOP" at an offset
of 54 bytes (perhaps because that was what was in the OS network buffer
used for that packet the previous time it was used, and because the OS
just leaves whatever junk was there previously as Ethernet padding).

As per my response to your mail, if you want to restrict the display to
GIOP packets, a filter of just "giop" works.