Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 12504] New: Saved pcapng file cannot be read by libpcap

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 09 Jun 2016 13:13:25 +0000
Bug ID 12504
Summary Saved pcapng file cannot be read by libpcap
Product Wireshark
Version 2.0.3
Hardware x86
OS Mac OS X 10.11
Status UNCONFIRMED
Severity Major
Priority Low
Component Capture file support (libwiretap)
Assignee [email protected]
Reporter [email protected] 

Created attachment 14628 [details]
The problematic pcapng file

Build Information:
Wireshark 2.0.3 (v2.0.3-0-geed34f0 from master-2.0)

Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
libz 1.2.5, with GLib 2.36.0, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2,
with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with
QtMultimedia, without AirPcap.

Running on Mac OS X 10.11.3, build 15D21 (Darwin 15.3.0), with locale C, with
libpcap version 1.5.3 - Apple version 54, with libz 1.2.5, with GnuTLS 2.12.19,
with Gcrypt 1.5.0.
Intel(R) Core(TM) i7-4770HQ CPU @ 2.20GHz (with SSE4.2)

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).

--
I capture traffic that occurs on my computer between loopback IP (127.0.0.1) to
the local IP. The link layer type should be 0 (BSD loopback). It also seems
that wireshark think so because when looking at packets I see NULL/Loopback as
the name for the link layer.
However, when saving to a pcapng file, two IDBs appear at the beginning of the
file (after the SHB). The first one has link type 1 (ethernet), and is followed
immediately by another one with link type 0. The following packet blocks refer
to the second IDB (interface ID = 1).
This seems wrong, and it also confuses libpcap, and makes it unable to read the
file (more accurately, the pcap_next() function fails and return NULL on the
first call).

This happened with the latest libpcap (1.7.4), as well as with previous
versions.
Attached is the pcapng file.

You are receiving this mail because:
  • You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube