Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 3895] Save-As Nokia tcpdump corrupts the file

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sat, 31 Dec 2011 10:22:46 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3895

--- Comment #21 from Michael Mann <mmann78@xxxxxxxxxxxx> 2011-12-31 10:22:42 PST ---
(In reply to comment #18)
> Note that, not knowing what the contents of the 4 bytes in question are, we
> can't arrange that we can write out any file other than Nokia tcpdump files as
> Nokia tcpdump files and have Wireshark recognize them as such, unless we write
> them out as 0xFFFFFFFF or something such as that.
> Given that, I'm not sure we should support writing out any files other than
> Nokia tcpdump files in Nokia tcpdump format.
> I'm really not inclined to try to "fake" the 4 bytes as if they were packet
> contents.  The right way to do it might be to both per-file-type and per-packet
> pseudo-headers - there might be other file formats that could use the
> per-file-type pseudo-header, e.g. HP-UX nettl - and stuff the 4 bytes into a
> per-file-type pseudo-header.

The scenario of this bug and what the patch fixes is:
1. Load existing Nokia tcpdump file into Wireshark (that had been previously
created by Nokia tcpdump)
2. Use display filters to show a subset of frames in the file
3. Save subset (ie Displayed packets) in Nokia tcpdump file format.

In this case, the "4 bytes in question" are known, so Wireshark should be able
to resave the subset.

The scenario this patch (or bug) doesn't address is
1. Capture packets in Wireshark
2. Save As Nokia tcpdump format

In this case, Wireshark doesn't know the "4 bytes in question" and just writes
a (32bit) 0.  This would make it incompatible with the real Nokia tcpdump
(which is a whole separate issue), but Wireshark could probably reread the file
without issue because its really ignoring the "4 bytes in question" anyway.

This patch allows Wireshark to write the "4 bytes in question" if known,
otherwise the (32bit) 0 will be written.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube