Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 7851] New: We don't handle pcap-ng files with IDBs that co

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 11 Oct 2012 19:38:38 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7851

           Summary: We don't handle pcap-ng files with IDBs that come
                    after packet blocks
           Product: Wireshark
           Version: SVN
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Capture file support (libwiretap)
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: guy@xxxxxxxxxxxx


Created attachment 9342
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9342
pcap-ng file with an IDB following the first packet

Build Information:
wireshark 1.9.0 (SVN Rev 45463 from /trunk)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.10, with Cairo 1.12.2, with Pango 1.30.0, with
GLib 2.32.3, with libpcap, with libz 1.2.5, without POSIX capabilities, without
libnl, with SMI 0.4.8, without c-ares, without ADNS, with Lua 5.1, without
Python, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP,
with PortAudio V19-devel (built Sep  7 2012 18:21:16), with AirPcap.

Running on Mac OS X 10.8.2, build 12C54 (Darwin 12.2.0), with locale
en_US.UTF-8, with libpcap version 1.1.1, with libz 1.2.5, GnuTLS 2.12.19,
Gcrypt
1.5.0, without AirPcap.

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.11.00).

--
There is no guarantee that all Interface Description Blocks in a pcap-ng file
will be at the beginning of the file, nor should there ever be such a
guarantee.

For example, some program that writes pcap-ng files could start capturing from
the interfaces that the machine has at the time the capture is started and, if
new interfaces appear while the capture is in progress, start capturing on
those interfaces as well.  (I have some ideas about how to implement that in
BPF, and may do that in my Copious Free Time(TM) and send the implementation
off to Apple and the *BSDs at some point.)

Here's a pcap-ng file I synthesized from a file in the Wireshark menagerie; it
has packets from two interfaces, and the IDB for each interface appears
immediately before the EPB for the packet on that interface.  It fails with

    tshark: The file "/Users/gharris/captures/pcapng/idb-in-the-middle.pcapng"
appears to be damaged or corrupt.
    (pcapng: interface index 1 is not less than interface count 1.)

if I hand it to top-of-trunk TShark.

(I'm filing a bug on this in part just to put the pcap-ng file into the
menagerie, so that it gets handed to TShark by the buildbot.  I'll be
submitting a fix.)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube