Wireshark-bugs: [Wireshark-bugs] [Bug 6718] New: tshark (editcap) pcapng handling limitations: o
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6718
Summary: tshark (editcap) pcapng handling limitations: options
and ISB blocks
Product: Wireshark
Version: 1.7.x (Experimental)
Platform: x86
OS/Version: All
Status: NEW
Severity: Major
Priority: Low
Component: TShark
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: jpo@xxxxxxxxxxxx
Build Information:
TShark 1.7.1-SVN-40412 (SVN Rev Unknown from unknown)
Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.30.1, with libpcap (version unknown), with libz
1.2.5, without POSIX capabilities, without SMI, without c-ares, without ADNS,
with Lua 5.1, with Python 2.7.2, with GnuTLS 2.12.7, with Gcrypt 1.5.0, with
MIT
Kerberos, with GeoIP.
Running on Linux 3.1.7-1.fc16.x86_64, with locale en_US.UTF-8, with libpcap
version 1.2.1, with libz 1.2.5.
Built using gcc 4.6.2 20111027 (Red Hat 4.6.2-1).
--
Creating new pcapng files from existent ones with tshark (or editcap) causes
information to be lost. In particular,
* all block options are lost and
* all "Interface Statistics" blocks are lost
This behavior can be observed by executing the following commands:
1) create a new pcapng capture file with dumpcap (or tshark) in Linux
dumpcap -i eth0 -f tcp -c 4 -w f.pcapng
This will create a pcapng with the following blocks:
* 1 x SHB (with option 4)
* 1 x IDB (with options 2 and 11)
* 4 x EPB
* 1 x ISB (with options 4 and 5)
2) create a new pcapng from the previously one with tshark
tshark -r f.pcapng -w n.pcapng
The new pcapng file (n.pcapng) will be smaller than the original one
due to the loss of the block ISB and the block options.
The new pcapng file will only have the following blocks
* 1 x SHB (without options)
* 1 x IDB (without options)
* 4 x EPB
Note: the same thing happens with editcap
(editcap -T ether f.pcapng n.pcapng)
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.