Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 5869] New: Enhancements to Network Instruments Observer fi

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 28 Apr 2011 11:36:42 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5869

           Summary: Enhancements to Network Instruments Observer file
                    format
           Product: Wireshark
           Version: 1.5.x (Experimental)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: tombr@xxxxxxxxxxx


Created an attachment (id=6249)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=6249)
Patch file which affects the following files: file_access.c,
network_instruments.c, network_instruments.h, and wtap.

Build Information:
----Ubuntu 10.10----
Version 1.5.2 (SVN Rev 36938 from /trunk)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.22.0, with GLib 2.26.1, with libpcap 1.1.1, with
libz 1.2.3.4, without POSIX capabilities, without libpcre, without SMI, without
c-ares, without ADNS, without Lua, without Python, with GnuTLS 2.8.6, with
Gcrypt 1.4.5, without Kerberos, without GeoIP, without PortAudio, without
AirPcap.

Running on Linux 2.6.35-22-generic, with libpcap version 1.1.1, with libz
1.2.3.4, GnuTLS 2.8.6, Gcrypt 1.4.5.

Built using gcc 4.4.5.

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.

----Windows----
Version 1.5.2 (SVN Rev 36938 from /trunk)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.22.1, with GLib 2.26.1, with WinPcap (version
unknown), with libz 1.2.5, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3,
with
Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
Apr
28 2011), with AirPcap.

Running on 64-bit Windows 7, build 7600, without WinPcap, GnuTLS 2.10.3, Gcrypt
1.4.6, without AirPcap.

Built using Microsoft Visual C++ 10.0 build 40219

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
Network Instruments would like to submit the following patch to enhance
handling of our BFR file format.

This patch incorporates the majority of the changes in the community patch
attached to bug 5671 along with some additional enhancements.  It is submitted
as a replacement for that patch.

Patch has been tested in latest SVN trunk (rev 36938) on both Ubuntu 10.10 x64
and Windows 7 x64 (32-bit executable).

This patch incorporates the following fixes from the patch attached to bug 5671
with changes as noted below:

1.) Files where the packet header and packet data are noncontiguous are handled
improperly, resulting in read misalignment and ultimately the error message,
"Observer: bad record: Invalid magic number 0xXXXXXXXX." This bug is caused by
not obeying the packet_entry_header.offset_to_frame field.

2.) Daylight savings time is not properly accounted for in files using local
time encoding.

3.) As of Observer/GigaStor v13.10 (bug 5671 incorrectly stated v14),
timestamps in the file format changed from
local time encoding to GMT encoding. Wiretap has been changed to support
reading
both formats.  Patch submitted with bug 5671 added a separate file type to
allow writing local format.  This patch does not add the separate file type and
always writes GMT.

4.) The wtap_dumper.bytes_dumped field is not being properly incremented as
data is written to files.

This patch also incorporates the following additional enhancements / fixes not
in bug 5671:

1.) Support for reading BFR files which contain Fibre Channel captures.  Test
file Fibre_Channel_Capture.bfr attached.

2.) Support for modified file header used in upcoming v15.  New header file
format takes an unused byte from the version string to allow for a larger
offset to the first packet to be specified.  Test file V15_Lrg_Hdr_Test.bfr is
attached, it is also a fuzz test as the number of TLV items given in the header
is less then the actual.  

3.) It was found that if the number of TLV items given in the header was larger
then present it would fail to open the file. Test file V9_Num_TLVs_Too_Big.bfr
is attached.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube