Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 11750] New: tshark saves raw stream in ascii file, content

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sun, 22 Nov 2015 16:06:04 +0000
Bug ID 11750
Summary tshark saves raw stream in ascii file, content unrecoverable
Product Wireshark
Version 1.12.8
Hardware x86-64
OS Gentoo
Status UNCONFIRMED
Severity Normal
Priority Low
Component TShark
Assignee [email protected]
Reporter [email protected] 

Build Information:
TShark 1.12.8 (Git Rev Unknown from unknown)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.44.1, with libpcap, with libz 1.2.8, with POSIX
capabilities (Linux), with libnl 3, with SMI 0.5.0, without c-ares, without
ADNS, with Lua 5.1, without Python, with GnuTLS 3.3.18, with Gcrypt 1.6.4,
without Kerberos, without GeoIP.

Running on Linux 4.2.6-hardened-r3-151118, with locale en_GB.utf8, with libpcap
version 1.7.4, with libz 1.2.8.
AMD Phenom(tm) II X4 965 Processor

Built using gcc 4.9.3.

--
I filed a bug in Gentoo:

tshark (net-analyzer/wireshark-1.12.8-r1) saves tcp/ssl raw streams in ascii
file, content unrecoverable 
https://bugs.gentoo.org/show_bug.cgi?id=566472 

(and this here is the same, shorter, info)

Pls. find the files necessary to reproduce this (those mentioned explicitly
below) in:

http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/

http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/Add-151121/

The problem boils down to a command like this:

tshark -r dump_150927_1848_g0n.pcap -T fields -e data -qz follow,tcp,raw,9 \
    | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009.bin

produces an ascii file from which it the content can not be extracted, in
comparison with perfectly recoverable content from the file that I saved with
the Wireshark, and called it:

dump_150927_1848_g0n_s00009-W.bin

You can find, apart from the main traffic capture, both these
extracted-stream9-files, as are obtainable in my Wireshark on my Gentoo, as
well as the extracted content from the Wireshark-saved stream in the links
given above:

I think this is a bug, so I'm trying to get the wizards of Wiresharks'
attention to this issue ;-) .

You are receiving this mail because:
  • You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube