| Bug ID |
9121
|
| Summary |
Wireshark generated pcapng files generates a malformed NRB when writing more than one
|
| Classification |
Unclassified
|
| Product |
Wireshark
|
| Version |
SVN
|
| Hardware |
x86
|
| OS |
Mac OS X 10.8
|
| Status |
UNCONFIRMED
|
| Severity |
Major
|
| Priority |
Low
|
| Component |
Wireshark
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Build Information:
wireshark 1.11.0-SVN-51832 (SVN Rev 51832 from /trunk)
Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GTK+ 2.24.17, with Cairo 1.10.2, with Pango 1.30.1, with
GLib 2.36.0, with libpcap, with libz 1.2.3, without POSIX capabilities, without
libnl, with SMI 0.4.8, without c-ares, without ADNS, with Lua 5.1, without
Python, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP,
with PortAudio V19-devel (built Jul 16 2013 19:05:52), with AirPcap.
Running on Mac OS X 10.8.4, build 12E55 (Darwin 12.4.0), with locale .UTF-8,
with libpcap version 1.1.1, with libz 1.2.5, GnuTLS 2.12.19, Gcrypt 1.5.0,
without AirPcap.
Intel(R) Core(TM) i7-3720QM CPU @ 2.60GHz
Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).
--
Under certain condition's when using Wireshark's "Save as" dialog, the newly
created pcapng file will be augmented with one or more pcapng Name Resolution
Blocks (NRB).
When multiple NRBs are written by Wireshark to the Save as file, the resulting
file is unreadable by any of the applications linked to the wiretap library
because the first NRB appears to be malformed.
NRBs will typically contain ipv4 and ipv6 entries extracted from the answer and
additional sections from all the dns response packets (dns.flags.response == 1)
within the original trace file. If the number of entries extracted from dns
responses exceeds some theshhold then multiple NRBs will be written to "Save
as" file.
This is an example of the error message tshark reports when attempting to open
one of the Wireshark generated pcapng files with a malformed NRB:
> bash-3.2$ tshark -r 497-dns-responses-SaveAs.pcapng
>
> tshark: The file "497-dns-responses-SaveAs.pcapng" appears to be damaged or corrupt.
> (pcapng_read_unknown_block: total block length 0 of an unknown block type is less than the minimum block size 12)
> bash-3.2$
FWIW: Some libpcap based pcapng aware applications such as tcpdump can open
malformed Wireshark "Save as" generated pcapng files because they simply skip
over all NRBs.
Enabling the pcapng_debug statements in wiretap/pcapng.c will help illustrate
the problem:
> Index: wiretap/pcapng.c
> ===================================================================
> --- wiretap/pcapng.c (revision 51849)
> +++ wiretap/pcapng.c (working copy)
> @@ -68,7 +68,7 @@
> #include "pcap-encap.h"
> #include "pcapng.h"
>
> -#if 0
> +#if 1
> #define pcapng_debug0(str) g_warning(str)
> #define pcapng_debug1(str,p1) g_warning(str,p1)
> #define pcapng_debug2(str,p1,p2) g_warning(str,p1,p2)
Until this bug is fixes, one workaround for this bug is to disable the "Use DNS
packet data for addresses resolution" preference (-o
dns.use_for_addr_resolution:FALSE) before using Wireshark's "Save as" feature.
You are receiving this mail because:
- You are watching all bug changes.
