Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 5869] Enhancements to Network Instruments Observer file fo

Date: Fri, 29 Apr 2011 07:59:37 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5869

--- Comment #5 from Tom Brezinski <tombr@xxxxxxxxxxx> 2011-04-29 07:59:36 PDT ---
(In reply to comment #4)
> Would writing out capture files with "ObserverPktBufferVersion=15.00" rather
> than "ObserverPktBufferVersion=09.00" mean that older versions of Observer
> wouldn't be able to read the captures?
> 
> If so, perhaps we'd want to pick up another item from bug 5671:
> 
>   3.) As of Observer/GigaStor v13.10 (bug 5671 incorrectly stated v14),
>   timestamps in the file format changed from
>   local time encoding to GMT encoding. Wiretap has been changed to support
>   reading
>   both formats.  Patch submitted with bug 5671 added a separate file type to
>   allow writing local format.  This patch does not add the separate file type
> and
>   always writes GMT.
> 
> to allow writing out in both file formats.

Older versions will read it just fine even though it has a v15 tag.  The file
format is designed to be backwards compatible.  In Observer versions before
v13.1 the software will ignore the unknown TLV tag for the time format and
treat it as local time.  Due to the licensing and support model for Observer
though very few (if any) people are running versions earlier then v13.1 so we
would prefer to keep it simple and just have one file type.  Until a major
change is made in the format which breaks backward compatibility we do not see
the need for a separate file type.

Also files written by Wireshark will never have a large enough header to
utilize the new offset field in the v15 format, so anything converted to BFR in
Wireshark will always be backward compatible.  The obvious exception being if
you open a BFR file which utilizes the new offset and do a save-as BFR in which
case Wireshark just does a file copy since there is nothing to convert.  Even
then the majority of captures made with Observer v15 will not be utilizing the
new field.  In future versions if the need arises to store more data in the
header it may become more common.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.