Warning: Could not decode PDML data: ... "illegal character code" #133
Comments
|
the error appears in pcap/loader.go not knowing go, i haven't been able to disable it yet. |
|
Hi @clort81 - yes you're right, that's the source of the message that termshark emits. The problem seems to come from invalid XML generated by tshark in some circumstances. I saw it most recently working with telnet. If you download this pcap, you can see the invalid XML by running this command: https://drive.google.com/file/d/1B3NJv8oOARlY7aztkVNA8oB4SYGFfas3/view?usp=sharing $ tshark -r zork.pcap -T pdml | xmllint --noout -
-:1485: parser error : invalid character in attribute value
ield name="telnet.data" showname="Data: �\030\001" size="3" pos="40" show="�
^
-:1485: parser error : attributes construct error
ield name="telnet.data" showname="Data: �\030\001" size="3" pos="40" show="�
^
...These characters fail I could suppress the message but the problem really is that the XML parsing breaks at this point. While I look more closely, here's a crummy workaround:
#!/usr/bin/env bash
if [[ " $* " =~ " pdml " ]]; then
exec tshark "$@" | tr -cd '\11\12\15\40-\176'
else
exec tshark "$@"
fi
[main]
tshark = "/usr/local/bin/tshark-hack"Let me know if that doesn't work :-) |
If this value is not set explicitly, a false value means that an error
from a termshark-initiated tshark process will result in an error dialog
in the termshark UI. I am seeing this more and more as I test with
various pcaps - it always comes from tshark serializing characters into
XML text that are invalid, according to the XML spec (val <= 31 and val
not in {tab, CR, LF}). Here is a merge request against Wireshark to try
to solve this problem at the source:
https://gitlab.com/wireshark/wireshark/-/merge_requests/7398
To see the problem, try this:
$ wget https://storage.googleapis.com/gcla3/xmlbug.pcapng
$ tshark -r xmlbug.pcapng -T pdml | xmllint --noout - || echo bad xml
Even if this Wireshark request is merged, it will presumably be a long
time before all termshark-used tsharks are updated. So I think the more
user-friendly option is to suppress these errors to avoid popups about
which the user can do very little anyway.
Here's a hack you can use if you want to see errors, in general, but are
not interested in this specific XML error:
#133 (comment)
Workaround:
- create the following file called e.g. /usr/local/bin/tshark-hack
if [[ " $* " =~ " pdml " ]]; then
exec tshark "$@" | tr -cd '\11\12\15\40-\176'
else
exec tshark "$@"
fi
- run:
$ sudo chmod +x /usr/local/bin/tshark-hack
- edit ~/.config/termshark/termshark.toml
[main]
tshark = "/usr/local/bin/tshark-hack"
|
Here's a Wireshark merge-request to fix this at the source: https://gitlab.com/wireshark/wireshark/-/merge_requests/7398 |
Prerequisites
Please verify these before submitting an issue.
Package: termshark
Version: 2.2.0-2
Yes
Yes
Problem
Running sudo termshark -i [interface] works then displays warning box:
"Could not decode PDML data: XML syntax error on line 78925: illegal character code U+0006."
Current Behavior
Running sudo termshark -i [interface] works then displays warning box:
"Could not decode PDML data: XML syntax error on line 78925: illegal character code U+0006."
Expected Behavior
No warning popup box.
Screenshots as applicable
Steps to Reproduce
Run termshark -i eth0
Context
Please provide the complete output of these commands:
termshark -v
termshark 2.2.0
Please also provide any relevant information about your environment (OS, VM, pi,...)
Devuan ceres, aarch64
The text was updated successfully, but these errors were encountered: