Wireshark-bugs: [Wireshark-bugs] [Bug 7381] New: The file appears to be damaged or corrupt.. (pc
Date: Wed, 20 Jun 2012 02:35:57 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7381

           Summary: The file appears to be damaged or corrupt.. (pcapng:
                    interface index 1 is not less than interface count 1.)
           Product: Wireshark
           Version: SVN
          Platform: x86
        OS/Version: Mac OS X 10.6
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: [email protected]
        ReportedBy: [email protected]


Created attachment 8627
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8627
small 12 packet pcapng file

Build Information:
wireshark 1.9.0-SVN-43401 (SVN Rev 43401 from /trunk)

Copyright 1998-2012 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.5, with Cairo 1.8.6, with Pango 1.29.3, with
GLib 2.29.8, with libpcap, with libz 1.2.3, without POSIX capabilities, with
SMI
0.4.8, without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS
2.12.7, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio
V19-devel (built Sep 30 2011 11:17:29), with AirPcap.

Running on Mac OS 10.6.8 (Darwin 10.8.0), with locale .UTF-8, with libpcap
version 1.0.0, with libz 1.2.3, GnuTLS 2.12.7, Gcrypt 1.4.6, without AirPcap.

Built using gcc 4.2.1 (Apple Inc. build 5666) (dot 3).

--
mergecap generated pcapng file is unusable.

I have a series of pcapng files generated using dumpcap with the ringbuffer
duration option (e.g. $ dumpcap -i en0 -i en1 -f 'arp or (host 192.168.0.99 and
icmp)' -w ringtest.pcapng -b duration:5).

The individual ringtest*pcapng files superficially appear to be well-formed and
can be opened and processed by wireshark and the various wireshark cli tools
(tshark, capinfos, editcap, mergecap, etc).  

But if several of the ringtest*pcapng file are combined together using the
mergecap tool (e.g. $ mergecap -w combined.pcapng ringtest_0000[12]*pcapng) the
resulting pcapng is unusable with the error message "(pcapng: interface index 1
is not less than interface count 1.)".

tshark returns the following error message:

> $ tshark -r combined.pcapng 
> 
> tshark: The file "combined.pcapng" appears to be damaged or corrupt.
> (pcapng: interface index 1 is not less than interface count 1.)

capinfos returns the following error message:

> capinfos combined.pcapng 
> capinfos: An error occurred after reading 0 packets from "combined.pcapng": The file appears to be damaged or corrupt..
> (pcapng: interface index 1 is not less than interface count 1.)

editcap returns the following error message:

> $ editcap -c 1 combined.pcapng splittest.pcapng
> editcap: An error occurred while reading "combined.pcapng": The file appears to be damaged or corrupt..
> (pcapng: interface index 1 is not less than interface count 1.)

To replicate the problem do the following with the attached pcapng file:

> editcap -i 1 ringtest_00001_20120618221355.pcapng splittest.pcapng
> mergecap -w recombined.pcapng splittest*pcapng
> capinfos recombined.pcap

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.