Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 6718] Wiretap API needs to handle pcap-NG ISB blocks

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Fri, 2 Mar 2012 22:34:28 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6718

--- Comment #6 from Jose Pedro Oliveira <jpo@xxxxxxxxxxxx> 2012-03-02 22:34:28 PST ---
(In reply to comment #5)
> Status update as of rev41328:
> 
> Steps:
>  1) cd ~/sandbox/wireshark-1.7.1-SVN-41328
>  2) ./dumpcap -i p132p1 -f tcp -i lo -i p3p1 -f udp -c 1 -w rev41328.pcapng
>  3) ./tshark -r rev41328.pcapng -w n.pcapng
>     or
>     ./editcap -T ether rev41328.pcapng n.pcapng
> 
> Result (n.pcapng)
> 
>  * the SHB and IDB options are being copied
>  * the ISB blocks are still being dropped
>  * the IDB if_filter option is being dropped
>  * the IDB if_tsresol option is being created by tshark/editcap
>    (it is written by the wiretap API with a default value of 6;
>     but it is not written by dumpcap API)
>  * ERROR: there are strings being corrupted (namely the if_name)
> 
>     ---------
> @@ -11,55 +11,26 @@
>        F: Snaplen          = 65535
>        F: Linktype         = 1
>        O: Option code  2   = 'p132p1'
> -      O: Option code 11   = 'tcp'
> +      O: Option code  9   = 6
>        O: Option code 12   = 'Linux 3.2.7-1.fc16.x86_64'
>  000000C8 Block 0x00000001 - Interface Description Block
> -      F: Block total len  = 64 (0x40) bytes
> +      F: Block total len  = 72 (0x48) bytes
>        F: Snaplen          = 65535
>        F: Linktype         = 1
> -      O: Option code  2   = 'lo'
> +      O: Option code  2   = 'lo32p1'
> +      O: Option code  9   = 6
>        O: Option code 12   = 'Linux 3.2.7-1.fc16.x86_64'
> -00000108 Block 0x00000001 - Interface Description Block
> -      F: Block total len  = 76 (0x4c) bytes
> +00000110 Block 0x00000001 - Interface Description Block
> +      F: Block total len  = 72 (0x48) bytes
>        F: Snaplen          = 65535
>        F: Linktype         = 1
> -      O: Option code  2   = 'p3p1'
> -      O: Option code 11   = 'udp'
> +      O: Option code  2   = 'p3p1p1'
> +      O: Option code  9   = 6
>        O: Option code 12   = 'Linux 3.2.7-1.fc16.x86_64'
> ...
> ---------
> 
>     Note that the if_name in the second and third IDBs don't match the initial
>     values.
> 
>     This problem "may" be related to the to way string options are being
>     handled:
>      * dumpcap: the NUL character is written to the file and the option_len 
>        reflects this
>      * wiretap: the read operation uses the option_length field to read/copy 
>        the string but the write operation discards the string NUL character.
>        This makes all string option length fields values 1 byte shorter in the 
>        new file (the one created with tshark or editcap).

OOPS!  The string option values in the new pcapng are not corrupted. My dump
program is using the ntar library and it expects the strings to be NUL
terminated.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube