ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 5407] New: Editcap doesn't work on 0 timestamp pcap.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 15 Nov 2010 14:39:38 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5407

           Summary: Editcap doesn't work on 0 timestamp pcap.
           Product: Wireshark
           Version: SVN
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Extras
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: jliu@xxxxxxxxxxxxxxxxxxxx


Build Information:
wireshark 1.4.1

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.10.8, (32-bit) with GLib 2.12.9, with libpcap 0.9.4, with
libz 1.2.3, with POSIX capabilities (Linux), without libpcre, without SMI,
without c-ares, without ADNS, without Lua, without Python, without GnuTLS, with
Gcrypt 1.2.3, without Kerberos, without GeoIP, without PortAudio, without
AirPcap.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.

Running on Linux 2.6.19-1.2911.fc6, with libpcap version 0.9.4, with libz
1.2.3,
Gcrypt 1.2.3.

Built using gcc 4.1.1 20070105 (Red Hat 4.1.1-51).

--
I have a pcap and want to use editcap to convert it with libpcap format. But it
generated a pcap target file with pcap file header only. I have enabled verbose
switch with '-v' but don't find anything. 
I have spent some hours to address this issue, finally I found it caused by 0
timestamp value in my source pcap.

editcap.c:
........
      check_ts = check_timestamp(wth);
      if ( ((check_startstop && check_ts) || (!check_startstop && !check_ts))
&& ((!selected(count) && !keep_em) || (selected(count) && keep_em)) ) {
...........

static gboolean
check_timestamp(wtap *wth)
{
  struct wtap_pkthdr* pkthdr = wtap_phdr(wth);
  return ( pkthdr->ts.secs >= starttime ) && ( pkthdr->ts.secs <= stoptime);
}
....
if pkthdr->ts.secs is 0, and starttime, stoptime is of course 0, then it will
return 1 and the condition on editcap.c, will not match, the this packet is
gone with any error or warning information.

To fix that is easy, replace "<= stoptime" with "< stoptime".

here is my fix:
...................
static gboolean
check_timestamp(wtap *wth)
{
  struct wtap_pkthdr* pkthdr = wtap_phdr(wth);
    if(pkthdr->ts.secs == 0)
    {
        fprintf(stderr, "editcap: pcap contain 0 timestamp.\n");
    }
  return ( pkthdr->ts.secs >= starttime ) && ( pkthdr->ts.secs < stoptime);
}
....................

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube