Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 3315] Segments of reassembled PDU's not saved when saving

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Tue, 5 Jun 2012 12:32:44 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3315

--- Comment #27 from Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> 2012-06-05 12:32:43 PDT ---
(In reply to comment #26)
> Thanks for this long-awaited fix! I confirm it works perfectly for reassembled
> IP packets (tested with fragmented SIP packets in UDP) when saving with a
> display filter.

:-)

> But it still does not work when saving "marked" packets when some are
> reassembled. So I propose the following improvement:
> When marking a reassembled packet, it will automatically mark the corresponding
> fragmented packets too. So when saving with "marked" packets, everything will
> be saved.

That's expected behavior; the tooltip (if your mouse hovers over the
"Displayed" button) should explain it.

The problem with doing this for anything other than the "All packets" case is
that it would either require a lot of memory (basically storing which frames
depend on which frames) or a lot of time (going through the packet list more
than once).

For example to make it work with Marked frames would (AFAICS) require going
through the packet list twice when exporting the packets: once to collect the
Marked frames and mark their dependencies and then again to actually save the
packets (as is currently done).  (Another option would be to reprocess all the
frames each time you mark or unmark a frame, but that seems even less
palatable.)  The Displayed case works because you already have to Apply the
filter which involves reprocessing all the frames and we can mark the
dependencies as we go.

Hmmm, well, I guess we could add a button where the Marked frames count is (or
next to it) labeled "Find dependencies" and, if pressed, goes off and finds the
dependencies of the marked frames (by rescanning the packet list again).  But
then switching back to "All packets/Displayed" would require yet another rescan
(to reset the dependencies).  Ugh.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube