Crash reading PCAP file, tshark exited

[pacovi]

While loading a PCAP file it crashes.
To reproduce the problem I have just to follow the Example 1 and when I start the capture the program crashes. The problem is that tshark is using a deprecated option (or so it says the log) and it just exits, creating an error on Foren6 and causing a crash.

It happens using Foren6 from Git or *.deb package on Ubuntu 12.04 LTS (I'm using Instant Contiki), "tshark -v" shows: "TShark 1.11.3 (SVN Rev 53420 from /trunk)"; and the console output of Foren6 after causing the crash is in the end of the issue (LOG1).

By using #DEFINE USE_NEW_TSHARK in the sniffer_packet_parser.c file, it does solve the problem but I get another one instead, marked as LOG2 in the end of the issue.

---

LOG1

Loading /usr/lib/foren6/interfaces/libinterface_pcap.so
Registered interface pcap from file /usr/lib/foren6/interfaces/libinterface_pcap.so
pcap interface initialized
Loading /usr/lib/foren6/interfaces/libinterface_sensnif.so
Registered interface sensnif from file /usr/lib/foren6/interfaces/libinterface_sensnif.so
snif interface initialized
Loading /usr/lib/foren6/interfaces/libinterface_snif.so
Registered interface snif from file /usr/lib/foren6/interfaces/libinterface_snif.so
snif interface initialized
PktSync: New iface: /usr/share/doc/foren6/pcaps/example1-rpl-collect.pcap, nb root = 1
PCAP reader started
tshark: -R without -2 is deprecated. For single-pass filtering use -Y.
tshark exited
Could not start tshark

---

LOG2

Loading /usr/lib/foren6/interfaces/libinterface_pcap.so
Registered interface pcap from file /usr/lib/foren6/interfaces/libinterface_pcap.so
pcap interface initialized
Loading /usr/lib/foren6/interfaces/libinterface_sensnif.so
Registered interface sensnif from file /usr/lib/foren6/interfaces/libinterface_sensnif.so
snif interface initialized
Loading /usr/lib/foren6/interfaces/libinterface_snif.so
Registered interface snif from file /usr/lib/foren6/interfaces/libinterface_snif.so
snif interface initialized
PktSync: New iface: /usr/share/doc/foren6/pcaps/example1-rpl-collect.pcap, nb root = 1
PCAP reader started

(process:32359): GLib-CRITICAL *: g_hash_table_lookup_extended: assertion `hash_table != NULL' failed
*
ERROR:wmem_core.c:50:wmem_alloc: assertion failed: (allocator->in_scope)

tshark exited
Could not start tshark
make: *** [run] Error 1

[jdede]

I experienced the same issues with debian testing, tshark 1.12.1 and the current git checkout. With #define USE_NEW_TSHARK, I got the following error:

snif interface initialized
PktSync: New iface: /home/basic/src/git/contiki-untouched/tools/cooja/build/radiolog-1426233540490.pcap, nb root = 1
Registered event listener change listener:  true 
PCAP reader started
tshark: -R without -2 is deprecated. For single-pass filtering use -Y.
tshark exited
Could not start tshark

[laurentderu]

Thanks for the feedback, I guess it's time to with the default tshark interface to the new one (and provide a command line option to select the old one).

[kYc0o]

Is this issue solved? I'm having the same problem here:

tshark: -R without -2 is deprecated. For single-pass filtering use -Y.
tshark exited
Could not start tshark
make: *** [run] Error 1

Do you have any workaround to this?

Thanks in advance

[kYc0o]

if I put #define USE_NEW_TSHARK I'm having this error:

tshark: Live captures do not support two-pass analysis.
tshark exited
Could not start tshark
make: *** [run] Error 1

[laurentderu]

I pushed a fix that allow runtime configuration of tshark using the Settings dialog and set the new version of tshark command line as the default one. Could you tell me if this fixes your problem ?

[gillesDD]

Hi Laurent,
Face the same issue, because just begin tooday to play with foren6
could you share the commit id ?
Thanks and regards
Gilles

[laurentderu]

Hi Gilles,

It's available in the latest version of the foren6 top project. The actual commit is 1927d08 which reference the latest commits of analyzer and gui-qt

[gillesDD]

Hi,
So i pick up the last git top project, make ;make install
=>strange, had to update settingsDialog.cpp does not compile, missing stdio for printf ...
Then, I open foren6 preferences : old tshark check box NOT selected. (if selected, current issue occurs as expected)
TShark is 1.12.1
LOG is
PktSync: New iface: /usr/share/doc/foren6/pcaps/example1-rpl-collect.pcap, nb root = 1
PCAP reader started
(process:9541): GLib-CRITICAL *: g_hash_table_lookup_extended: assertion 'hash_table != NULL' failed
*
ERROR:/build/buildd/wireshark-1.12.1+g01b65bf/epan/wmem/wmem_core.c:50:wmem_alloc: assertion failed: (allocator->in_scope)
tshark exited
Could not start tshark

Did I missed something ?

[laurentderu]

Hi Gilles,

I forgot to remove a debug printf (and on MacOS it's included by default). I pushed a fix for that.

You problem looks like an internal tshark crash, I tested the modification with shark 1.12.4 without troubles, do you have this crash with all pcap/sources ?

[gillesDD]

Hi Laurent
works fine with 1.12.4 ! (pcap from foren6 example and cc26xx "real" pcap too)
Thanks again
Gilles

[aignacio]

Hello @gillesDD,
Can you explain how are you using the foren6 to sniff? (what software are you running)
I'm using sensniff with PCAP option activated and the foren6 show the same error "could not start tshark"

python sensniff.py -p -D INFO -d /dev/ttyACMX

[bouacheria-ibtissem]

Hi,

To solve this problem you just need to go to file->preference and enable old tshark .

hope that this issue will pass to solved