Ethereal-users: RE: [Ethereal-users] c0000005 (access violation) in proto_reg_han doff_netlib
I've found the packet that causes the problem by slicing the trace untill I
was left with one packet - only 17 iterations which is not bad as the
capture was 37 MB. Now I can load this single packet capture and it crashes
Ethereal every time.
I converted the single packet capture to Netmon format with editcap and
interestingly Netmon 4 misinterprets it as an MSRPC packet - I've seen
Netmon make this mistake before - and it definitely isn't MSRPC. My
colleague then loaded it into Netmon 5 and sure enough it interprets the
data as TDS. The record appears to be a response from a SQL Server 7 box
giving a list of column names and attributes. My colleague said that he
believes it's SQL Server 7 as the column names are in ASCII not UNICODE -
but I should stress that this is just our loose theory.
I suppose I should now slip this over to the ethereal-dev list, right?
Regards...Paul
-----Original Message-----
From: Paul Offord
Sent: 07 January 2003 13:19
To: ethereal-users@xxxxxxxxxxxx
Subject: RE: [Ethereal-users] c0000005 (access violation) in
proto_reg_handoff_netlib
Good call Martin.
What I didn't say in my earlier posting was that I also get the problem when
loading capture files created with WinDump. I did a quick test loading a
capture I created yesterday with WinDump and Ethereal crashed. I switched
TDS off and the capture file loads OK.
I'll try to find the packet that causes the problem.
Best regards...Paul
-----Original Message-----
From: Martin Regner [mailto:martin.regner@xxxxxxxxx]
Sent: 07 January 2003 12:43
To: Paul Offord; ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] c0000005 (access violation) in
proto_reg_handoff_netlib
Paul Offord wrote:
>Hi,
>
>I use Ethereal 0.9.7 with WinPcap 2.3 on Windows 2000 (Build 2195). I
>downloaded binary versions of both Ethereal and WinPcap.
>
>I have no problems capturing short traces. However, if a capture a
>reasonable size trace, the following happens:
>
>* I hit Stop in the Capture window
>* A small message box appears showing the Loading status (the small bar
>starts to move to show progress)
>* I get an error stating that Ethereal application has terminated.
>
>The Dr Watson log shows an Access Violation in proto_reg_handoff_netlib.
>I've included the Stack Back Trace below (the parameters passed in the
final
>call to proto_reg_handoff_netlib don't look right).
I guess that there is some memory overwrite in some protocol dissector.
The back trace you sent doesn't look reasonable.
I guess that at least part of the back trace is corrupt due to that the
memory has been overwritten.
It may not be that the problem is in the TDS/Netlib dissector
(packet-tds.c), but there has
been some crash problem with that dissector.
>
>* Is this a known problem?
>
>* Is there a fix?
The TDS/Netlib dissector has been changed after Ethereal 0.9.7. There were
some crash
problem with that dissector.
You can maybe start to disable TDS and Netlib protocol in Ethereal 0.9.7
(Edit/Protocol .../Decoding/..)
and see if you still get problems. If you don't get the crash problem then
you will know that it is probably
the TDS/Netlib dissector that caused the crash.
(If you still get problems with TDS/Netlib dissector disabled you can
disable some more protocols).
Then you can try to install Ethereal 0.9.8 and see if you still get
problems. If so it would be good to get a capture of
the packets that causes Ethereal to crash. You could e.g. disable all or
almost all protocol dissectors in order to
do the capturing without getting a crash (hopefully) and save the capture to
a file, and then enable protocols again
and see if you get any crash.
Be sure to not include any confidential data in the capture.
>
>* What is the correct procedure for reporting Ethereal bugs?
>
I think you did the right things sending a mail with as much information as
possible to the list.
You've included info about Ethereal version, WinPcap version, OS and
backtrace and other
details and that is a very good start.
