ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 3895] Save-As Nokia tcpdump corrupts the file

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 21 Dec 2011 00:37:03 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3895

--- Comment #11 from Guy Harris <guy@xxxxxxxxxxxx> 2011-12-21 00:36:59 PST ---
And libpcap, as used by tcpdump and other tools, doesn't even *try* to
recognize it as a Nokia pcap file; if we hand the attached test sample file to
a reasonably close to top-of-trunk Wireshark's version of TShark, we get

$ tshark -n -r test.pcap

  1   0.000000 99.230.215.92 -> 10.167.0.176 ICMP Destination unreachable (Port
unreachable)
  2   0.054467 99.233.32.194 -> 10.167.0.176 ICMP Destination unreachable (Host
unreachable)
  3   0.230358 219.84.235.134 -> 10.167.0.176 ICMP Destination unreachable
(Port unreachable)
  4   2.073723 99.230.215.92 -> 10.167.0.176 ICMP Destination unreachable (Port
unreachable)

    ...

but if we hand it to a reasonably close to top-of-trunk tcpdump linked with
reasonably close to top-of-trunk libpcap, we get:

$ tcpdump -n -r test.pcap
reading from file test.pcap, link-type EN10MB (Ethernet)
12:12:15.455510 50:44:72:35:00:23 Unknown SSAP 0xc0 > 02:b6:bf:9f:00:00 Unknown
DSAP 0xb4 Information, send seq 4, rcv seq 0, Flags [Command], length 176
tcpdump: pcap_loop: bogus savefile header

and if we hand it to tcpdump 4.0.0, linked with libpcap 1.0.0, as shipped with
Mac OS X 10.6.8, we get the same thing:

$ tcpdump -n -r test.pcap
reading from file test.pcap, link-type EN10MB (Ethernet)
12:12:15.455510 50:44:72:35:00:23 Unknown SSAP 0xc0 > 02:b6:bf:9f:00:00 Unknown
DSAP 0xb4 Information, send seq 4, rcv seq 0, Flags [Command], length 176
tcpdump: pcap_loop: bogus savefile header

as we do if we hand it to tcpdump 4.1.1, linked with libpcap 1.1.1, as shipped
with Ubuntu 10.10:

$ tcpdump -n -r test.pcap
reading from file test.pcap, link-type EN10MB (Ethernet)
12:12:15.455510 50:44:72:35:00:23 Unknown SSAP 0xc0 > 02:b6:bf:9f:00:00 Unknown
DSAP 0xb4 Information, send seq 4, rcv seq 0, Flags [Command], length 176
tcpdump: pcap_loop: bogus savefile header

so I'm not sure what tools - other than tools linked with a hacked-up version
of libpcap that thinks pcap files with a standard magic number are Nokia pcap
files rather tha standard pcap files, or tools that have their own pcap-file
reader similarly hacked - would support opening *any* Nokia pcap files as such.
 (I.e., if you have such a tool, whatever it's using to read pcap files is
probably hacked up in that fashion, and probably won't correctly read all the
zillions of normal pcap files out there, including the ones from the "sample
captures" page in the Wireshark Wiki and from www.pcapr.net.)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube