Wireshark-bugs: [Wireshark-bugs] [Bug 7381] The file appears to be damaged or corrupt.. (pcapng:
Date: Fri, 22 Jun 2012 02:58:59 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7381

--- Comment #2 from Jim Young <[email protected]> 2012-06-22 02:58:58 PDT ---
Did some more testing.   The root of this problem appears to be based in the
original dumpcap generated pcapng files.

If I capture on a single interface (en1) then the resulting pcapng file can be
used by mergecap to build a usable pcapng file.   

> bash-3.2$ dumpcap -i en1 -f arp -a duration:5 -w en1-arp.pcapng
> Capturing on en1
> File: en1-arp.pcapng
> Packets captured: 1
> Packets received/dropped on interface en1: 0/0 (0.0%)
> bash-3.2$ 

Oddly while I did in fact capture 1 arp packet, dumpcap's final en1 interface
statistics report states that no packets were received or dropped!   The pcapng
file's interface_statistics_block reports same.

If I capture on two interfaces (en0 and en1) then the order that the interfaces
are specified to dumpcap will determine if the resulting pcapng file can be
used with mergecap to produce a usuable pcapng file or not.

The following dumpcap command produces a pcapng file that can be used by
mergecap to produce a usable pcapng file:

> bash-3.2$ dumpcap -i en1 -f arp -i en0 -f arp -a duration:5 -w en1-arp-en0-arp.pcapng
> Capturing on en1 and en0
> File: en1-arp-en0-arp.pcapng
> Packets captured: 1
> Packets received/dropped on interface en1: 1/0 (100.0%)
> Packets received/dropped on interface en0: 0/0 (0.0%)
> bash-3.2$ 

But the following dumpcap command produces a pcapng file that can NOT be used
by mergecap to produce a usable pcapng file:

> bash-3.2$ ./dumpcap -i en0 -f arp -i en1 -f arp -a duration:5 -w en0-arp-en1-arp.pcapng
> Capturing on en0 and en1
> File: en0-arp-en1-arp.pcapng
> Packets captured: 1
> Packets received/dropped on interface en0: 0/0 (0.0%)
> Packets received/dropped on interface en1: 1/0 (100.0%)
> bash-3.2$

I trivially used mergecap to virtually duplicate each of the pcapng files
created above: 

> bash-3.2$ mergecap -w merge-en1-arp.pcapng en1-arp.pcapng
> bash-3.2$ mergecap -w merge-en1-arp-en0-arp.pcapng en1-arp-en0-arp.pcapng
> bash-3.2$ mergecap -w merge-en0-arp-en1-arp.pcapng en0-arp-en1-arp.pcapng

It is the last of the three mergecap produced files
(merge-en0-arp-en1-arp.pcapng) that is unusable.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.