438473 – wireshark via ssh -X on ipv6 link-local address fails to allow capture

Bug 438473 - wireshark via ssh -X on ipv6 link-local address fails to allow capture

Summary: wireshark via ssh -X on ipv6 link-local address fails to allow capture

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	wireshark
Sub Component:
Version:	5.2
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Safranek
QA Contact:	Miroslav Vadkerti
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-03-21 08:37 UTC by Sage Grigull
Modified:	2013-01-08 05:01 UTC (History)
CC List:	4 users (show)
Fixed In Version:	wireshark-1.0.15-2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:	When Wireshark starts with X11 protocol being tunnelled through ssh connection, it automatically prepares its capture filter to omit these ssh packets. If the ssh connection is to link-local IPv6 address including interface name (like ssh -X <ipv6addr>%eth0), Wireshark erroneously parsed this address and constructed wrong capture filter and refused to capture packets with 'Invalid capture filter' message. In this update, parsing of link-local IPv6 addresses is fixed and Wireshark prepares correct capture filter to omit ssh over link-local IPv6 connection.
Last Closed:	2013-01-08 05:01:32 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
error message when attempting to start capture described as per BZ (78.26 KB, image/png) 2008-03-21 08:40 UTC, Sage Grigull	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0125	0	normal	SHIPPED_LIVE	Moderate: wireshark security, bug fix, and enhancement update	2013-01-08 09:22:17 UTC

Description Sage Grigull 2008-03-21 08:37:57 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.12) Gecko/20080213 Red Hat/1.5.0.12-11.el5_1 Firefox/1.5.0.12

Description of problem:
when using a remote wireshark connected via ssh usiong ipv6 and X tunneling, capture fails




Version-Release number of selected component (if applicable):
wireshark-gnome-0.99.7-1.el5

How reproducible:
Always


Steps to Reproduce:
1. ssh -X ipv6_addr%eth0
2. wireshark
3. start capture

Actual Results:
Denaila of capture on any interface (inluding lo)

see attached image.


Expected Results:
capture starts

Additional info:

Comment 1 Sage Grigull 2008-03-21 08:40:12 UTC

Created attachment 298779 [details]
error message when attempting to start capture described as per BZ

Comment 2 Sage Grigull 2008-03-21 08:42:30 UTC

It should be noted that no display or capture filters were defined by the user
at any stage.

All other interfaces fail with the same error message except 'any': it fails on
not being able to set promiscous mode on any

Comment 3 Sage Grigull 2008-05-27 08:55:39 UTC

originally observed with RHel5u1, bumping to RHEL5.2

Comment 4 Guy Harris 2009-12-10 01:59:54 UTC

Wireshark fills in a default capture filter when it's being run "over the wire" in some sense, e.g. from an ssh connection or an X11 connection from another machine.  The default capture filter is intended to filter out traffic for that connection, so that, for example, updates to the X11 display for Wireshark, or printed output for packets from TShark, don't *themselves* generate traffic that Wireshark or TShark will display, said display then causing more traffic, *ad infinitum*.

That's the capture filter that showed up in the error message.  It got a "scoped" IPv6 address (see RFC 4007), and put that into the capture filter; however, as libpcap doesn't support scoped addresses in filters (and the scope ID doesn't show up on the wire, so there's nothing for it *to* support).

Wireshark should remove any scope IDs from addresses it puts into the default capture filter.  Please file an upstream bug at

   http://bugs.wireshark.org

(it's Bugzilla, so you'll need to create an account) about this, and put my comments into the bug.

Comment 5 Jan Safranek 2010-06-28 13:47:15 UTC

patch sent upstream: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4945

Comment 6 RHEL Program Management 2012-04-02 10:26:26 UTC

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 9 Miroslav Vadkerti 2012-07-31 15:01:05 UTC

Looks like the issue cannot be reproduced with tshark, so manual verifictaion only.

Comment 13 errata-xmlrpc 2013-01-08 05:01:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0125.html

Note You need to log in before you can comment on or make changes to this bug.