Wireshark-bugs: [Wireshark-bugs] [Bug 6937] pcapng: shd_userappl in newly created files
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6937
--- Comment #7 from Jose Pedro Oliveira <jpo@xxxxxxxxxxxx> 2012-03-13 07:11:02 PDT ---
(In reply to comment #3)
> (In reply to comment #0)
> > Build Information:
> > TShark 1.7.1 (SVN Rev 41483 from /trunk)
> > --
> > Pcap-ng files created by Wiretap API based tools (tshark, editcap, and
> > wireshark(?) at the moment) inherit the shb_userappl value from the source file
> > and they shouldn't.
>
> Why not? should SHB_USERAPPL show the application which wrote the actual file
> or
> the application which did the capture? I can se both having merrit.
I think the my problem is in the interpretation of the specification
<quote>
"shb_userappl ... An UTF-8 string containing the name of the application used
to create this section"
</quote>
I mentally translated the "create" to a write operation. And I also biased for
using more the command line tools than wireshark (and using display filters in
tshark as capture filters: tshark -R <display_filter> -r in -w out).
> If I have a capture file and add notes to it and re-save it having the original
> SHB_USERAPPL would give me better information that it beeing overwritten by
> Wireshark especially if the application is something other than dumpcap.
> Same goes for splitting a file.
I do like your idea of attaching the changelog/history to the pcapng files.
> > Notes:
> > * Most likely the source file has been created by dumpcap
> > * Dumpcap pcapio API writes nul-terminated strings values to the pcapng file;
> > the wiretap API doesn't; the files will differ (option length values,
> > padding)
> > even if the new one is a copy of first one.
>
> Yes, is that a problem? why?
More like an "annoyance" than a problem. It fills odd for people like me, that
is trying to understand the project source code (in its spare time and not
being a full time developer), to discover that there are two APIs for writing
pcapng files and that they behave differently regarding strings values. Maybe
having documentation about the APIs would help...
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.