Wireshark-bugs: [Wireshark-bugs] [Bug 2477] New: Illegal characters in XML output for ssh.paddin
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2477
Summary: Illegal characters in XML output for ssh.padding_string
Product: Wireshark
Version: 0.99.8
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: Normal
Priority: Low
Component: TShark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: robert.e.cranfill@xxxxxxxxxx
Created an attachment (id=1709)
--> (http://bugs.wireshark.org/bugzilla/attachment.cgi?id=1709)
Tshark capture file containing a sample SSH login which shows the problem.
Build Information:
TShark 0.99.8 (SVN Rev 24492)
Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.14.6, with WinPcap (version unknown), with libz 1.2.3,
with
libpcre 7.0, with SMI 0.4.5, with ADNS, with Lua 5.1, with GnuTLS 1.6.1, with
Gcrypt 1.2.3, with MIT Kerberos.
Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2
(packet.dll version 4.0.0.1040), based on libpcap version 0.9.5.
Built using Microsoft Visual C++ 6.0 build 8804
--
The XML output using the "-T pdml" has invalid characters (non-printing
characters) in the "ssh.padding_string" field's "show" attribute, as seen in
the attached capture file (bad_ssh.1.packetdata).
I elicited the bad SSH field by starting a capture with:
tshark -i 4 -f "port 22" -w bad_ssh.1.packetdata
and then logging in to a networked machine via SSH.
If the attached file is output to XML via the command:
tshark -r bad_ssh.1.packetdata -T pdml >bad_ssh.1.packetdata.xml
the resulting XML can be searched for the field "ssh.padding_string". There are
several in the sample data, but the first one, in the seventh packet, has (I
hope this Bugzilla web page will allow pasting these non-printing chars; we'll
see....)
<field name="ssh.padding_string" showname="Padding String:
\354\017A\257F\206\376NE" size="9" pos="477" show="ì\x0fA¯F†þNE"
value="ec0f41af4686fe4e45"/>
whereas the same XML produced on a Linux machine has the line
<field name="ssh.padding_string" showname="Padding String:
\354\017A\257F\206\376NE" size="9" pos="477" show="\xec\x0fA\xafF\x86\xfeNE"
value="ec0f41af4686fe4e45"/>
Notice that the Linux output has "escaped" chars in the "show" field, whereas
the Windows output does not.
This causes much grief to my XML parser!
- rob
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.