Wireshark-bugs: [Wireshark-bugs] [Bug 6718] Wiretap API needs to handle pcap-NG ISB blocks
Date: Mon, 5 Mar 2012 01:38:57 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6718

--- Comment #7 from Anders Broman <anders.broman@xxxxxxxxxxxx> 2012-03-05 01:38:55 PST ---
(In reply to comment #6)
> (In reply to comment #5)
> > Status update as of rev41328:
> > 
> > Steps:
> >  1) cd ~/sandbox/wireshark-1.7.1-SVN-41328
> >  2) ./dumpcap -i p132p1 -f tcp -i lo -i p3p1 -f udp -c 1 -w rev41328.pcapng
> >  3) ./tshark -r rev41328.pcapng -w n.pcapng
> >     or
> >     ./editcap -T ether rev41328.pcapng n.pcapng
> > 
> > Result (n.pcapng)
> > 
> >  * the SHB and IDB options are being copied
> >  * the ISB blocks are still being dropped
> >  * the IDB if_filter option is being dropped
> >  * the IDB if_tsresol option is being created by tshark/editcap
> >    (it is written by the wiretap API with a default value of 6;
> >     but it is not written by dumpcap API)
> >  * ERROR: there are strings being corrupted (namely the if_name)
> > 
> >     ---------
> > @@ -11,55 +11,26 @@
> >        F: Snaplen          = 65535
> >        F: Linktype         = 1
> >        O: Option code  2   = 'p132p1'
> > -      O: Option code 11   = 'tcp'
> > +      O: Option code  9   = 6
> >        O: Option code 12   = 'Linux 3.2.7-1.fc16.x86_64'
> >  000000C8 Block 0x00000001 - Interface Description Block
> > -      F: Block total len  = 64 (0x40) bytes
> > +      F: Block total len  = 72 (0x48) bytes
> >        F: Snaplen          = 65535
> >        F: Linktype         = 1
> > -      O: Option code  2   = 'lo'
> > +      O: Option code  2   = 'lo32p1'
> > +      O: Option code  9   = 6
> >        O: Option code 12   = 'Linux 3.2.7-1.fc16.x86_64'
> > -00000108 Block 0x00000001 - Interface Description Block
> > -      F: Block total len  = 76 (0x4c) bytes
> > +00000110 Block 0x00000001 - Interface Description Block
> > +      F: Block total len  = 72 (0x48) bytes
> >        F: Snaplen          = 65535
> >        F: Linktype         = 1
> > -      O: Option code  2   = 'p3p1'
> > -      O: Option code 11   = 'udp'
> > +      O: Option code  2   = 'p3p1p1'
> > +      O: Option code  9   = 6
> >        O: Option code 12   = 'Linux 3.2.7-1.fc16.x86_64'
> > ...
> > ---------
> > 
> >     Note that the if_name in the second and third IDBs don't match the initial
> >     values.
> > 
> >     This problem "may" be related to the to way string options are being
> >     handled:
> >      * dumpcap: the NUL character is written to the file and the option_len 
> >        reflects this
> >      * wiretap: the read operation uses the option_length field to read/copy 
> >        the string but the write operation discards the string NUL character.
> >        This makes all string option length fields values 1 byte shorter in the 
> >        new file (the one created with tshark or editcap).
> OOPS!  The string option values in the new pcapng are not corrupted. My dump
> program is using the ntar library and it expects the strings to be NUL
> terminated.

if_filter should survive reading and writing by dumpcap/wireshark as of 41352
note that if_filter is not a string "..The first byte of the Option Data keeps
a code of the filter used..." dumpcap/wireshark treated it as a string the ntar
library might as well...

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.