Wireshark-bugs: [Wireshark-bugs] [Bug 6718] New: tshark (editcap) pcapng handling limitations: o
Date: Mon, 9 Jan 2012 13:14:42 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6718

           Summary: tshark (editcap) pcapng handling limitations: options
                    and ISB blocks
           Product: Wireshark
           Version: 1.7.x (Experimental)
          Platform: x86
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: TShark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: jpo@xxxxxxxxxxxx


Build Information:
TShark 1.7.1-SVN-40412 (SVN Rev Unknown from unknown)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.30.1, with libpcap (version unknown), with libz
1.2.5, without POSIX capabilities, without SMI, without c-ares, without ADNS,
with Lua 5.1, with Python 2.7.2, with GnuTLS 2.12.7, with Gcrypt 1.5.0, with
MIT
Kerberos, with GeoIP.

Running on Linux 3.1.7-1.fc16.x86_64, with locale en_US.UTF-8, with libpcap
version 1.2.1, with libz 1.2.5.

Built using gcc 4.6.2 20111027 (Red Hat 4.6.2-1).
--
Creating new pcapng files from existent ones with tshark (or editcap) causes
information to be lost.  In particular,

  * all block options are lost and 
  * all "Interface Statistics" blocks are lost


This behavior can be observed by executing the following commands:

 1) create a new pcapng capture file with dumpcap (or tshark) in Linux

    dumpcap -i eth0 -f tcp -c 4 -w f.pcapng


    This will create a pcapng with the following blocks:

     * 1 x SHB (with option 4)
     * 1 x IDB (with options 2 and 11)
     * 4 x EPB
     * 1 x ISB (with options 4 and 5)


 2) create a new pcapng from the previously one with tshark

    tshark -r f.pcapng -w n.pcapng

    The new pcapng file (n.pcapng) will be smaller than the original one
    due to the loss of the block ISB and the block options.

    The new pcapng file will only have the following blocks


     * 1 x SHB (without options)
     * 1 x IDB (without options)
     * 4 x EPB

    Note: the same thing happens with editcap
          (editcap -T ether f.pcapng n.pcapng)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.