Wireshark-users: Re: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults
From: Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx>
Date: Thu, 14 Jul 2016 23:30:56 +0200
I've just posted on the bug report:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12616#c7

and since I'm not so savvy, I'm more comfortable writing to ML. I'll
post to bugzilla if the case becomes clearer.

On 160713-08:36+0200, Miroslav Rovis wrote:
> On 160712-18:37-0400, Jeff Morriss wrote:

This below:
> ...
> > > tshark -o "ssl.keylog_file: dump_160606_1xxx_SSLKEYLOGFILE.txt" -r \
> > >         "dump_160606_1328_g0n.pcap" -T fields -e data -qz follow,ssl,raw,0
> > > \
> > >         | grep -E '[[:print:]]' > dump_160606_1328_g0n_s000-ssl.raw

is the exact command that I used again, but on the updated Wireshark,
that contains Jeff's patch (let me repaste what I already posted on the
Bugzilla for clarity):

$ tshark -v
TShark (Wireshark) 2.1.1-git (v2.1.1rc0-522-g6c0972b from master)

Copyright 1998-2016 Gerald Combs <gerald@xxxxxxxxxxxxx> and
contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is
NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with
libnl 3,
with GLib 2.48.1, with zlib 1.2.8, with SMI 0.5.0, without c-ares, with
Lua 5.1,
with GnuTLS 3.4.14, with Gcrypt 1.7.1, without Kerberos, without GeoIP.

Running on Linux 4.5.7-hardened-r7-160710, with locale en_GB.utf8, with
libpcap
version 1.7.4, with GnuTLS 3.4.14, with Gcrypt 1.7.1, with zlib 1.2.8.
AMD Phenom(tm) II X4 965 Processor

Built using gcc 5.4.0.
$

And again
> > >
> > > gets me these in the syslog:
it gets me same kind of lines in the syslog (the fresh, but very similar
lines further below)
> > >
> > 
> > [...]
> > 
> > 
> > > Jul 12 18:01:53 g0n kernel: [158754.612649] traps: tshark[11975] general
> > > protection ip:23c0292717 sp:3cdf3aec7f0 error:0 in
> > > tshark[23c026e000+43000]
> > >
> > > Jul 12 18:01:53 g0n kernel: [158754.612673] grsec: (miro:U:/)
> > > Segmentation fault occurred at            (nil) in
> > > /usr/bin/tshark[tshark:11975] uid/euid:1000/1000 gid/egid:1000/1000,
> > > parent /bin/bash[bash:29776] uid/euid:1000/1000 gid/egid:1000/1000
> > >

Jul 14 22:51:43 g0n kernel: [102763.437373] grsec: (miro:U:/) exec of
/usr/bin/tshark (tshark -o ssl.keylog_file:
dump_160606_1xxx_SSLKEYLOGFILE.txt -r dump_160606_1328_g0n.pcap -T
fields -e data -qz follow,ssl,raw,) by /usr/bin/tshark[bash:16898]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31424]
uid/euid:1000/1000 gid/egid:1000/1000

Jul 14 22:51:53 g0n kernel: [102773.501148] grsec: (miro:U:/) exec of
/usr/bin/tshark (tshark -o ssl.keylog_file:
dump_160606_1xxx_SSLKEYLOGFILE.txt -r dump_160606_1328_g0n.pcap -T
fields -e data -qz follow,ssl,raw,) by /usr/bin/tshark[bash:16901]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31424]
uid/euid:1000/1000 gid/egid:1000/1000

Jul 14 22:51:53 g0n kernel: [102773.501846] grsec: (miro:U:/) exec of
/bin/grep (grep --colour=auto -E [[:print:]] ) by /bin/grep[bash:16902]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31424]
uid/euid:1000/1000 gid/egid:1000/1000

Jul 14 22:51:53 g0n kernel: [102773.881845] traps: tshark[16901] general
protection ip:6c00acd230 sp:3e6575a3070 error:0 in
tshark[6c00aa9000+43000]

Jul 14 22:51:53 g0n kernel: [102773.881865] grsec: (miro:U:/)
Segmentation fault occurred at            (nil) in
/usr/bin/tshark[tshark:16901] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000

Jul 14 22:51:53 g0n kernel: [102773.881882] grsec: (miro:U:/) denied
resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for
/usr/bin/tshark[tshark:16901] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000

Jul 14 22:51:58 g0n kernel: [102778.981062] grsec: (miro:U:/) exec of
/usr/bin/file (file dump_160606_1328_g0n_s000-ssl.raw ) by
/usr/bin/file[bash:16905] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000

Jul 14 22:52:08 g0n kernel: [102788.333959] grsec: (miro:U:/bin/cat)
exec of /bin/cat (cat dump_160606_1328_g0n_s000-ssl.raw ) by
/bin/cat[bash:16906] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000

Jul 14 22:52:08 g0n kernel: [102788.334509] grsec: (miro:U:/) exec of
/bin/grep (grep --colour=auto ============ ) by /bin/grep[bash:16907]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31424]
uid/euid:1000/1000 gid/egid:1000/1000

Jul 14 22:52:12 g0n kernel: [102792.753275] grsec: (miro:U:/bin/cat)
exec of /bin/cat (cat dump_160606_1328_g0n_s000-ssl.raw ) by
/bin/cat[bash:16909] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/bash[bash:31424] uid/euid:1000/1000 gid/egid:1000/1000

Complete log there. As you can see from the first line in that excerpt
from my syslog (... Jul 14 22:51:43 g0n kernel: [102763.437373] grsec:
...), I did use the same two files
(... dump_160606_1xxx_SSLKEYLOGFILE.txt -r dump_160606_1328_g0n.pcap
...) as previously in this thread and also in the bug report.

So this could be something else then. But it probably wouldn't be
pertinent from me to speculate much on what it could be. At least now
that I don't have any clear idea...

But I'm ready to tell more about what might be needed about other things
about my Gentoo system if they are relevant.

Regards!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attachment: signature.asc
Description: PGP signature