Wireshark-dev: [Wireshark-dev] PCAP-NG Block Formats
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Paul Offord <Paul.Offord@xxxxxxxxxxxx>
Date: Fri, 10 Jun 2016 12:19:59 +0000

I’m writing some code that produces PCAP-NG files that I subsequently read with Wireshark.  However, WS throws an error when I open the resulting file and it’s complaining about there not being enough data left in an Enhanced Packet Block to satisfy the stated size of an option.  I’ve think I know what’s wrong but it’s led me to a fundamental question.

 

In the documentation in https://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html section 3.3 the diagram shows that a variable length Options block can exist at the end of an Enhanced Packet Block.  I have assumed that if I don’t want to specify options I have to add an Option Code opt_endofopt and Option Length of zero at the point, which comes to four bytes 0x00000000.

 

However, I’ve noticed that Wireshark generated traces don’t seem to do this.  All the examples I have looked at have two bytes of zeros, but this happens to align the end of the packet data on a 32-bit boundary and so I’m not sure if that’s the reason for the two bytes.

 

·        If I don’t want to add options to a packet, what should I add just prior to the trailing Block Total Length value?

·        Is this a Wireshark bug (writing incorrect format PCAP-NG files)?

 

Thanks and regards…Paul

 

Paul Offord FBCS CITP
Chief Technical Officer
Advance7

Phone:  01279 211 668
Mobile:  07764 931 431
Email:  paul.offord@xxxxxxxxxxxx
LinkedIn:  https://uk.linkedin.com/in/paulofford

 


______________________________________________________________________

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex CM24 1SJ

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________