https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7381
Balint Reczey <balint.reczey@xxxxxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |balint.reczey@xxxxxxxxxxxx
--- Comment #13 from Balint Reczey <balint.reczey@xxxxxxxxxxxx> 2012-07-14 15:31:44 PDT ---
(In reply to comment #8)
> As of rev 43657, instead of generating unreadable files, mergecap should report
> "mergecap: Error writing to outfile: Internal error".
>
> I'll work on actually *fixing* it, but that's a bigger change.
>
> What mergecap needs to do, when writing packets in a file format that supports
> interface information (currently, we only support it for pcap-ng) is, for all
> input files that have interface information, build a "merged" interface list
> for all the interfaces, *regardless* of whether any packets were captured on
> them or not. For input files that *don't* have interface information, it
> should create "fake" interfaces.
>
> The simplest technique is to just build a list that includes *all* the
> interfaces and a fake interface for each link-layer type that appears in the
> input files that don't have interface information.
>
> However, in some cases, this could result in packets that were, in fact,
> captured on the *same* interface being reported as coming from *different*
> interfaces that happen to have the same name. Consider, for example, using
> mergecap to append a capture done on a machine's "en0" interface to another
> capture done on the same machine's "en0" interface.
>
> So one alternative would be to merge all interfaces that have the same
> link-layer type and the same values for all options. This could, in theory,
> result in interfaces that *shouldn't* be merged being merged anyway; adding an
> additional IDB option for the host name of the machine on which the capture is
> being done (if you're doing an rpcap or other remote capture, this would be the
> name of the machine running the capture program, *not* the remote machine with
> the interface - that machine's host name would be in the interface name, as
> that would be the URL used) would probably prevent most if not all of those.
>
> For fake interfaces, we should probably create one for each link-layer
> type/snapshot length pair seen in the files that don't have interface
> information, those being the only bits of information that can be supplied for
> fake interfaces (well, with the exception of the time stamp resolution, but
> getting that for fake interfaces requires us to fetch that from Wiretap for the
> opened files, which is a project for the future).
How about implementing two strategies:
1: Relaxed, where interfaces with the same names are considered to be the same
interfaces. This would work fine for pcapng files captures on a single machine.
2: Mr. Proper, where if an interface name collision is present across the files
mergecap exits.
This mode would also allow passing mapping file(s) to mergecap, where the user
can set up an original name -> output name per capture file and if the
collisions can be resolved by using the mappings then mergecap would do that
without exiting.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
