Wireshark-bugs: [Wireshark-bugs] [Bug 9991] New: Tshark with "-F pcap" still generates a pcapng
Date: Mon, 14 Apr 2014 22:21:12 +0000
Bug ID 9991
Summary Tshark with "-F pcap" still generates a pcapng file
Classification Unclassified
Product Wireshark
Version 1.10.6
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Normal
Priority Low
Component TShark
Assignee [email protected]
Reporter [email protected]

Build Information:
TShark 1.10.6 (v1.10.6 from master-1.10)

Copyright 1998-2014 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5,
without POSIX capabilities, without libnl, with SMI 0.4.8, with c-ares 1.9.1,
with Lua 5.1, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6, with MIT
Kerberos, with GeoIP.

Running on 64-bit Windows 7 Service Pack 1, build 7601, without WinPcap.
       Intel(R) Core(TM) i7-3667U CPU @ 2.00GHz, with 8061MB of physical
memory.



Built using Microsoft Visual C++ 10.0 build 40219
--
I've been trying to capture network traffic to a pcap file with tshark using
the '-F pcap' option so I can later read the file back with winpcap.
Unfortunatly the generated file is always in the pcapng format.

> tshark -i 5 -F pcap -f "udp port 777" -b filesize:1 -w c:\tmp\fail.pcap
Capturing on 'Wireless Network Connection'
2

This generates at least a couple of files:

> dir c:\tmp\fail*.pcap
 Volume in drive C has no label.
 Volume Serial Number is 5E24-18F3

 Directory of c:\tmp

04/14/2014  03:07 PM             1,220 fail_00001_20140414150716.pcap
04/14/2014  03:07 PM               452 fail_00002_20140414150725.pcap
               2 File(s)          1,672 bytes
               0 Dir(s)  46,042,722,304 bytes free

Using capinfos.exe, I can see that the file is not in the correct format
("Wireshark/... - pcapng" instead of "Wireshark/tcpdump/... - pcap"):

> capinfos.exe  c:\tmp\fail_00001_20140414150716.pcap
File name:           c:\tmp\fail_00001_20140414150716.pcap
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
Packet size limit:   file hdr: (not set)
Number of packets:   1
File size:           1220 bytes
Data size:           902 bytes
Capture duration:    n/a
Start time:          Mon Apr 14 15:07:25 2014
End time:            Mon Apr 14 15:07:25 2014
Data byte rate:      0 bytes/s
Data bit rate:       0 bits/s
Average packet size: 902.00 bytes
Average packet rate: 0 packets/sec
SHA1:                cad70fff2165a2ca4dc2cfd43c9f1a420b66045b
RIPEMD160:           abf1a069f86338bf4ddcdee92b1d82e765d1e924
MD5:                 765c86cfe08a2d95c8c072fdb382f359
Strict time order:   True

The file is successfully converted with editcap.exe...

> editcap.exe -F pcap c:\tmp\fail_00001_20140414150716.pcap c:\tmp\fail_00001_20140414150716.pcap

> capinfos.exe  c:\tmp\fail_00001_20140414150716.pcap
File name:           c:\tmp\fail_00001_20140414150716.pcap
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 65535 bytes
Number of packets:   1
File size:           942 bytes
Data size:           902 bytes
Capture duration:    n/a
Start time:          Mon Apr 14 15:07:25 2014
End time:            Mon Apr 14 15:07:25 2014
Data byte rate:      0 bytes/s
Data bit rate:       0 bits/s
Average packet size: 902.00 bytes
Average packet rate: 0 packets/sec
SHA1:                a3c32a1376547954caa24d7726e8867309c79955
RIPEMD160:           4b479ba12a5900eea8ea4cbbdc575acf2dd995fb
MD5:                 3d66c21086f82b4cfdf6e5f30339b3ec
Strict time order:   True


You are receiving this mail because:
  • You are watching all bug changes.