Wireshark-bugs: [Wireshark-bugs] [Bug 3096] Ability to annotate packet captures
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 13 Feb 2012 16:10:55 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3096

--- Comment #47 from Jose Pedro Oliveira <jpo@xxxxxxxxxxxx> 2012-02-13 16:10:54 PST ---
(In reply to comment #46)
> (In reply to comment #45)
> > (In reply to comment #44)
---[snip]---
> > The current limitation from the wiki page says theat wireshark only handles
> > one SHB and one IDB let's make that work first.
> 
> "One SHB" is, as far as I know, currently true; "one IDB" is not.  The page at
> 
>     http://wiki.wireshark.org/Development/PcapNg
> 
> if that's "the wiki page" says "When merging files, mergecap doesn't retain
> each IDB's snaplen", and "each IDB" seems to imply to me that more than one is
> supported and, in fact, the page later says

To be more precise, pcapng file manipulations (in.pcapng -> out.pcapng) done
with the Wiretap API will result in information loss :

  * all options of every block type will be lost, and
  * all interface statistics blocks will also be lost

Ticket about this problem: #6718

> 
>   [v1.7.x] dumpcap -i eth0 -i eth1 -i eth2 -w file.pcapng
>   Capture file will have the following pcap-ng blocks: SHB, IDB, IDB, IDB, EPB,
> EPB, ..., ISB, ISB, ISB.
> 
> so it explicitly speaks of multiple IDBs.  (Arguably, "dumpcap -i any -w
> file.pcapng" should write IDBs for the real interfaces rather than the "any"
> interface, but that's a bit more work; what's really wanted there is some help
> from libpcap.)

At the time I added the above information to the Wiki page, dumpcap 1.7.x did
the rigth thing: it create an IDB and an ISB block for each interface listed in
the command line (and the IDB blocks immediately followed the SHB block). I
didn't check the "-i any" though.

BTW: Is there any wiki page or ticket for tracking the pcapng implemented
features, work in progress, wishlist, bugs, ... ?  Or can I continue to use the
pcapng wiki page to report problems?

regards,
jpo

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.