Can you run it under a debugger and get a backtrace
$ gdb /path_to/tshark
(gdb) run -V -q file.cap
-- crashes in the meanwhile
(gdb) bt
Luis
On 6/21/07, Bernhard Bock <[EMAIL PROTECTED]> wrote:
> Luis EG Ontanon wrote:
> > You should try applying the transformation to the Pdu and copy (using
> > Extra) the "answered" attribute from pdu to gop, and finally to gog
> [...]
>
> Thanks a lot - works like a charm!! (With small modifications to your
> proposal in order to extract "answered" instead of "ans" and matching
> against "ldap_op" instead of "ldap.protocolOp")
>
> I do have another problem now:
>
> I try to correlate the LDAP with RADIUS traffic as well. As long as I
> put only all the LDAP related stuff and the RADIUS Pdu section in MATE,
> everything works. As soon as I insert the RADIUS Gop section, Wireshark
> crashes with a failed assertion.
> This happens only if the trace file contains RADIUS packets. It works,
> though, if I keep both the RADIUS Pdu and Gop sections, but remove all
> LDAP stuff.
>
> The failed assertion is in line 193 of except.c.
> The Expression is: top->except_type == XCEPT_CATCHER
> (Not sure if that helps, but that's what the error message says...)
>
> I'm using Wireshark 0.99.5 SVN Rev 20677
>
> Unfortunately I cannot provide a sample trace file, as it includes
> customer data that I must not publish or share with anybody.
>
> best regards
> Bernhard
>
>
>
> ================================snip====================================
>
>
> Transform ans {
> Match (ldap_op=4) Insert (answered);
> };
>
> Pdu ldap_pdu Proto ldap Transport tcp/ip {
> Extract addr From ip.addr;
> Extract port From tcp.port;
> Extract ldap_op From ldap.protocolOp;
> Extract ldap_msgid From ldap.messageID;
> Extract ldap_search From ldap.assertionValue;
> Extract ldap_res From ldap.objectName;
> Transform ans;
> };
>
> Pdu radius_pdu Proto radius Transport udp/ip {
> Extract addr From ip.addr;
> Extract port From tcp.port;
> Extract rad_op From radius.code;
> Extract rad_msgid From radius.id;
> Extract rad_clientip From radius.Framed-IP-Address;
> };
>
> Gop radius_ses On radius_pdu Match (rad_msgid, addr, addr, port, port) {
> Start (rad_op=4);
> Stop (rad_op=5);
> Extra (rad_clientip);
> };
>
> Gop ldap_ses On ldap_pdu Match (ldap_msgid, addr, addr, port, port) {
> Start (ldap_op=3);
> Stop (ldap_op=5);
> Extra (ldap_search, answered);
> };
>
> Gog user_all {
> Member ldap_ses ( ldap_search );
> Extra (answered);
> };
>
> Done;
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
