Wireshark-bugs: [Wireshark-bugs] [Bug 12303] New: ERF metadata support
Date: Tue, 29 Mar 2016 03:23:09 +0000
Bug ID 12303
Summary ERF metadata support
Product Wireshark
Version Git
Hardware All
OS All
Status UNCONFIRMED
Severity Enhancement
Priority Low
Component Capture file support (libwiretap)
Assignee bugzilla-admin@wireshark.org
Reporter anthony.coddington@endace.com

Created attachment 14451 [details]
ERF_TYPE_META record per second injected into some synthetic traffic.

Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
This bug tracks support for ERF ERF_TYPE_META metadata records in Wireshark.

ERF_TYPE_META (MetaERF) records have a payload consisting of TLV metadata,
divided into sections which define the context of the TLV tag. ERF_TYPE_META
records generally have a Host ID extension header used to link metadata to
packet records with the same Host ID and Source ID. The Host ID is used to
identify the capturing host and can also be used to distinguish records from
multiple hosts in the same file. The 8-bit Source ID is used for distinguishing
records from multiple sources in the same file and for metadata linking. The
associated Host ID can either be explicit on all records, or implicit where the
Host ID extension header is only present on ERF_TYPE_META records and other
records are associated using only the Source ID in the Flow ID extension
header.

Change 12708 (https://code.wireshark.org/review/#/c/12708/)
added basic heuristic updates to allow opening trace files with ERF_TYPE_META
records. It was backported to master-2.0 and master-1.12.

Change 14510 (https://code.wireshark.org/review/#/c/14510/)
adds dissection of ERF_TYPE_META records, per-HostID/per-SourceID wtap
interfaces and basic (read-only) ERF_TYPE_META support in wiretap. It adds
support for displaying some fields of the 'first' ERF_TYPE_META record in the
Capture File Properties screen. Some summary fields are concatenated and merged
to provide more useful information and combine ERF sources, streams and
interfaces into wtap interfaces. It includes some support for
REC_TYPE_FT_SPECIFIC_REPORT but this is disabled for compatibility with the
PCAP-NG dumper for now.

Attached is a sample capture file with one ERF_TYPE_META record per second
injected into some synthetic traffic.


You are receiving this mail because:
  • You are watching all bug changes.