Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 4223] New: Per frame media type for Network Monitor 3 capt

Date: Mon, 9 Nov 2009 11:08:07 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4223

           Summary: Per frame media type for Network Monitor 3 capture file
                    format 2.1
           Product: Wireshark
           Version: 1.2.0
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: paullo@xxxxxxxxxxxxx


Build Information:
Version 1.2.0 (SVN Rev 28753)

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.14.7, with GLib 2.18.4, with WinPcap (version unknown),
with libz 1.2.3, without POSIX capabilities, without libpcre, without SMI,
without c-ares, without ADNS, with Lua 5.1, without GnuTLS, without Gcrypt,
without Kerberos, without GeoIP, with PortAudio V19-devel (built Jun 15 2009),
without AirPcap.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.

Running on Windows Vista, build 7600, without WinPcap.

Built using Microsoft Visual C++ 9.0 build 30729

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
In order for Network Monitor to handle multiple media types in the same capture
file, the netmon2.x capture file format has been extended to allow each frame
to have it's own media type.

The Network Monitor 3.3 help file has details about the file format.  The Media
Type per frame is described in Network Monitor Overview->Capture File
Format->Network Monitor Capture File Format -> Frame Layout.

The format is as follows:

TimeOffsetLocal - UINT64 - 8 bytes
FrameLengthWire - DWORD - 4 bytes - original frame length
FrameLength - DWORD - 4 bytes - captured frame length
FrameData - BYTE[] - FrameLength
MediaType - WORD - 2 bytes
ProcessInfoIndex - ULONG - 4 bytes

MediaType follows the frame data.  Since the frame table defines the boundaries
of the frame metadata, extra space following the frame is used to hold
MediaType and ProcessInfoIndex.

In the attached capture, the offset 0x9a has the per frame media type of 1
(ethernet).


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.