-
Notifications
You must be signed in to change notification settings - Fork 406
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warning: Could not decode PDML data: ... "illegal character code" #133
Comments
the error appears in pcap/loader.go
not knowing go, i haven't been able to disable it yet. |
Hi @clort81 - yes you're right, that's the source of the message that termshark emits. The problem seems to come from invalid XML generated by tshark in some circumstances. I saw it most recently working with telnet. If you download this pcap, you can see the invalid XML by running this command: https://drive.google.com/file/d/1B3NJv8oOARlY7aztkVNA8oB4SYGFfas3/view?usp=sharing $ tshark -r zork.pcap -T pdml | xmllint --noout -
-:1485: parser error : invalid character in attribute value
ield name="telnet.data" showname="Data: �\030\001" size="3" pos="40" show="�
^
-:1485: parser error : attributes construct error
ield name="telnet.data" showname="Data: �\030\001" size="3" pos="40" show="�
^
... These characters fail I could suppress the message but the problem really is that the XML parsing breaks at this point. While I look more closely, here's a crummy workaround:
#!/usr/bin/env bash
if [[ " $* " =~ " pdml " ]]; then
exec tshark "$@" | tr -cd '\11\12\15\40-\176'
else
exec tshark "$@"
fi
[main]
tshark = "/usr/local/bin/tshark-hack" Let me know if that doesn't work :-) |
If this value is not set explicitly, a false value means that an error from a termshark-initiated tshark process will result in an error dialog in the termshark UI. I am seeing this more and more as I test with various pcaps - it always comes from tshark serializing characters into XML text that are invalid, according to the XML spec (val <= 31 and val not in {tab, CR, LF}). Here is a merge request against Wireshark to try to solve this problem at the source: https://gitlab.com/wireshark/wireshark/-/merge_requests/7398 To see the problem, try this: $ wget https://storage.googleapis.com/gcla3/xmlbug.pcapng $ tshark -r xmlbug.pcapng -T pdml | xmllint --noout - || echo bad xml Even if this Wireshark request is merged, it will presumably be a long time before all termshark-used tsharks are updated. So I think the more user-friendly option is to suppress these errors to avoid popups about which the user can do very little anyway. Here's a hack you can use if you want to see errors, in general, but are not interested in this specific XML error: #133 (comment) Workaround: - create the following file called e.g. /usr/local/bin/tshark-hack if [[ " $* " =~ " pdml " ]]; then exec tshark "$@" | tr -cd '\11\12\15\40-\176' else exec tshark "$@" fi - run: $ sudo chmod +x /usr/local/bin/tshark-hack - edit ~/.config/termshark/termshark.toml [main] tshark = "/usr/local/bin/tshark-hack"
Here's a Wireshark merge-request to fix this at the source: https://gitlab.com/wireshark/wireshark/-/merge_requests/7398 |
Prerequisites
Please verify these before submitting an issue.
Package: termshark
Version: 2.2.0-2
Yes
Yes
Problem
Running sudo termshark -i [interface] works then displays warning box:
"Could not decode PDML data: XML syntax error on line 78925: illegal character code U+0006."
Current Behavior
Running sudo termshark -i [interface] works then displays warning box:
"Could not decode PDML data: XML syntax error on line 78925: illegal character code U+0006."
Expected Behavior
No warning popup box.
Screenshots as applicable
Steps to Reproduce
Run termshark -i eth0
Context
Please provide the complete output of these commands:
termshark -v
termshark 2.2.0
Please also provide any relevant information about your environment (OS, VM, pi,...)
Devuan ceres, aarch64
The text was updated successfully, but these errors were encountered: