Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 2560] New: editcap -c option drops data

Date: Thu, 22 May 2008 21:05:41 -0700 (PDT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2560

           Summary: editcap -c option drops data
           Product: Wireshark
           Version: 1.0.0
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Major
          Priority: High
         Component: Extras
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: graham.lynas@xxxxxxxxx


Created an attachment (id=1811)
 --> (http://bugs.wireshark.org/bugzilla/attachment.cgi?id=1811)
Original Packet Form

Build Information:
Version 1.0.0

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.8, with GLib 2.14.6, with WinPcap (version unknown),
with libz 1.2.3, without POSIX capabilities, with libpcre 7.0, with SMI 0.4.5,
with ADNS, with Lua 5.1, with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT
Kerberos, with PortAudio V19-devel, with AirPcap.

Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2
(packet.dll version 4.0.0.1040), based on libpcap version 0.9.5, without
AirPcap.

Built using Microsoft Visual C++ 6.0 build 8804

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
Using Editcap to dump out hour specific packets from a multi-day capture file,
I have noticed that including the -c "65530"  option will give output files
that are true to the packet count specified, but the packet information written
is not correct.

EXAMPLE 1:

Export all packets from 2008/05/05 at 2200 to a separate file....
"C:\Program Files\Wireshark\editcap.exe" -A "2008-05-05 22:00:00" -B
"2008-05-05 22:59:59" "D:\Temp\test.cap" "D:\Temp\200805052200.cap"

This works perfectly, and all 200805052200.cap packet data written is exactly
as in the original test.cap multi hour file. The only problem: It creates a
file with 88739 packets in it, and I need to export and import into Excel, so
need to limit the packet size to 65530 for each file.

EXAMPLE 2:

Export all packets from 2008/05/05 at 2200 to a separate file, limit to 65530
packets per file....
"C:\Program Files\Wireshark\editcap.exe" -c "65530" -A "2008-05-05 22:00:00" -B
"2008-05-05 22:59:59" "D:\Temp\test.cap" "D:\Temp\200805052200.cap"

This creates 2 files, 200805052200.cap-00000 and 200805052200.cap-00001. This
holds true to the 65530 limit per file, but the packets written to the second
file 00001 have been modified. The majority of traffic in this hour was a VOIP
call, so lots of RTP packets and RTPC packets, with some SIP, SIP/SDP, UDP on
5060. 

File 00000 contains the first 65530 packets, with correct packet details as
expected. RTP, RTPC, SIP, SIP/SDP packets are written intact.

File 00001 has the correct number of remaining packets, but the RTP and RTPC
packets have lost their descriptors.

Protocols in frame: eth:ip:udp:rtcp has changed to Protocols in frame:
eth:ip:udp:data, and the Real-time Transport Control Protocol (Source
description) packet detail has completely disappeared, replaced with Data (32
bytes). Same problem with all the RTP packets.

Protocols in frame: eth:ip:udp:rtp has changed to Protocols in frame:
eth:ip:udp:data, and the Real-time Transport Protocol (Source description)
packet detail has completely disappeared, replaced with Data (32 bytes).

I have not tried with a larger file as this was the fail point that I stopped.

Editcap in -c option mode therefore cannot be used reliably on multi files.

As I only do basic web and voip data, I do not have any avenue to test other
protocols.

I have attached a text file export of the same packet. Before is at the top in
its original form in both the test.cap original file, and the 200805052200.cap
single file option. After is at the bottom in the way it was written to the
200805052200.cap-00001 file.

Regards

Graham


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.