Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 7381] pcapng - mergecap generates unusable file if interfa

Date: Tue, 10 Jul 2012 20:55:54 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7381

Jim Young <jyoung@xxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|The file appears to be      |pcapng - mergecap generates
                   |damaged or corrupt..        |unusable file if interface
                   |(pcapng: interface index 1  |index 0 has no packets.
                   |is not less than interface  |
                   |count 1.)                   |

--- Comment #7 from Jim Young <jyoung@xxxxxxx> 2012-07-10 20:55:53 PDT ---
Summary updated to reflect root cause.

The mergecap generated output file will only include an IDB for an interface
from which packets are present.

Start with a pcapng file with multiple Interface Description Blocks (IDBs) but
where interfaces represented by the lower numbered interface indexes do not
have any packets.   Generate a new pcapng file with mergecap using the pcapng
file with multiple IDBs.  Subsequent processing of the new mergecap generated
output file by the various wireshark pcapng aware tools will result in messages
such as:

> The file appears to be damaged or corrupt.. (pcapng: interface index 1 is not less than interface count 1.)

Mergecap presents some unique problems with regards to what type of fixup
should be done to the pcapng IDBs and their index values.  If you use mergecap
to combine files captured with dumpcap's ringbuffer option then the IDBs
indexes across each input likely refer to the same interfaces.  But if you
attempt to combine pcapng files files taken from several different systems then
the IDBs present within the various files with identical index numbers do not
represent the same interface.

Not sure what are the proper fixes for these IDB and index issues.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.