ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 3096] Ability to annotate packet captures

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sun, 12 Feb 2012 22:36:33 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3096

--- Comment #37 from Guy Harris <guy@xxxxxxxxxxxx> 2012-02-12 22:36:30 PST ---
Given that pcap-NG supports multiple comments per packet, Microsoft Network
Monitor file format supports it as far as I can tell, and Network Instruments
Observer format also looks as if it can support it, we should support it as
well.

So we should support adding comments to the set of comments, deleting comments
from the set of comments, and editing comments in the set of comments.

Pcap-NG comments are UTF-8, as per the spec.  NetMon comments are separated
into a UTF-16 title and an RTF(!) body; presumably it uses the newer versions
of RTF with Unicode support.  I'm not sure whether Observer supports Unicode
comments (if so, it's presumably UTF-8, as the comments I've seen in Observer
files are ASCII rather than UCS-2 or UTF-16).  For the latter, we should
probably start by converting the title to UTF-8, turning the RTF into UTF-8
plain text, and prepending the title if it's not empty.

As for indicating whether a frame has a comment, NetMon puts a "#" after the
frame number in the frame number column; having a separate column to indicate
whether a frame has a comment might be a good idea (and having a way of
indicating, in the packet list, whether a frame has any expert info items, and
what severity the highest-severity item has, might be also useful).  Having a
column to contain the comment itself, however, probably wouldn't work well
except for the shortest of comments.  In examples I've seen in the NetMon blog
and the Observer manual, the comment is multiple lines and rather long (in the
NetMon blog - see the URL in an earlier comment of mine - the comment includes
a significant chunk of Microsoft MSDN documentation).

(As for

    BTW is all 5 nstime_t structs needed, couldn't the "others" be computed
from the first one using a smaller member containing "offset"

the answer is "yes".)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube