https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3606
--- Comment #4 from Chris Maynard <christopher.maynard@xxxxxxxxx> 2010-10-07 12:02:56 PDT ---
I think the problem here is that pcap_write_phdr() doesn't write out the erf
extension headers. But even if they were written, these erf-encapsulated
packets have more than 8 extension headers; however, the pseudo header seems to
limit the number to 8, so the resulting file would have truncated the extension
headers anyway, which isn't what you want.
To resolve these problems, I think it would be better to just eliminate the erf
pseudo-header altogether and simply read in all the packet bytes and let the
packet-erf dissector process the bytes as appropriate. Writing selected
packets out to another file is then trivial. This is essentially what I've
done recently for the USB pseudo header, and I think it works a lot better.
For example, the USB URB bytes are now highlighted when a field is selected
whereas previously those bytes only resided in the pseudo-header and so
couldn't be highlighted. Looking at the erf header, you don't see what bytes
are associated with which header fields because they don't actually exist in
the tvb but rather they're only in the pseudo header.
(See bug #4664 for more details on the USB changes that were made.)
BTW, is there an ERF specification available somewhere? The only thing I could
find is here: http://homepages.laas.fr/owe/ZOO/Zoo_user_manual.pdf. Perhaps
someone from Endace (http://www.endace.com/) could provide it or a link to it?
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
