Wireshark-dev: Re: [Wireshark-dev] Portability issue of capture files.
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Andreas Fink <andreas@xxxxxxxx>
Date: Thu, 7 Sep 2006 10:19:22 +0200

Most frequently that's due to using FTP and not setting binary mode.
Does the file's checksum change from machine to machine after copying it?

no.  iIuse scp to copy from machine to machine.


The PCAP/Wiretap library is supposed to figure out the endianism of the
host where the file was generated automatically so normally there's no
problem with that.  (I frequently look at capture files from SPARC
machines on my Intel laptop, including with 0.99.3.)

I did that too in the past.

Which is not the case... I just tried to open some files with my intel
based minimac and they do not work... oddly enough capture works only
if you are seeing packets in real-time, if instead you try to capture
without it fails to open them.

Same behaviour here. I look at them in real time usually, even over remote X connection.

The issue here is that it doesn't appear to be an endianess issue, the
file header is read ok, so it is the first packet's, with the second
packet I see a very odd thing:

pcapio.c writes this:

ts_sec 7D91FF44 44FF917D
ts_usec 5BE20800 0008E25B
incl_len 56010000 00000156
orig_len 56010000 00000156

wiretap's libpcap.c reads this:

ts_sec 07010016 16000107
ts_usec CB05E505 05E505CB
incl_len 32040A00 000A0432
orig_len 01053304 04330501


Uh. thats odd.


So there's an issue here but it has nothing to do with endianity...
neither it does with FTP which BTW i didn't use.

Ok. so we spotted a real bug. is this one in libwiretap?  I don't think so as libwiretrap is the same as when I tried it before.

Andreas Fink
Fink Consulting GmbH
---------------------------------------------------------------
Tel: +41-61-6666332 Fax: +41-61-6666331  Mobile: +41-79-2457333
Address: Clarastrasse 3, 4058 Basel, Switzerland
---------------------------------------------------------------
ICQ: 8239353
MSN: afink@xxxxxxxxxxxxxxxxxx AIM: smsrelay Skype: andreasfink
Yahoo: finkconsulting SMS: +41792457333