ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] [tcpdump-workers] Which versions of pcap files accept pcap_o

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Florent Drouin <florent.drouin@xxxxxxxxxxxxxxxxx>
Date: Wed, 12 Mar 2008 09:26:44 +0100
In the previous version of Wireshark, the conversion from ERF to libpcap was like this: 

For  TYPE_ATM, TYPE_AAL5
       WTAP_ENCAP_ATM_PDUS;
       or WTAP_ENCAP_ATM_RFC1483;
       or WTAP_ENCAP_ATM_PDUS_UNTRUNCATED;

For TYPE_ETH:
   WTAP_ENCAP_ETHERNET;

For TYPE_HDLC_POS:
       WTAP_ENCAP_PPP
       or  WTAP_ENCAP_CHDLC);

For other Type
       WTAP_ENCAP_UNKNOWN
Since wireshark-0.99.8, the encapsulation is always WTAP_ENCAP_ERF (DLT_ERF). The main reason for this change, was to keep all the informations contained in the ERF header. An other reason, is that the new ERF types are not taken into account for format conversion, and there is no possibility to deduce the datalink from the ERF type. That's why, the user has to select the protocol to use for the decoding of the ERF type in the preferences.
For the present case, wireshark is used to convert an ERF file to a libpcap format, and then, the converted file is injected in a sniffer using a capture filter. As said by Guy, the capture filter for "ip" is not implemented for the datalink DLT_ERF. Only the filters for MTP2 have been implemented for this datalink.
I will check if I can implement the possibility to chose the DLT to use for the conversion to libpcap, but in the meantime, I suggest you to convert your file with a previous version of wireshark, so you can use a capture filter in your sniffer. 

Regards
Florent

Stephen Donnelly wrote:

On Tue, 2008-03-11 at 01:04 -0700, Guy Harris wrote:

vcarela wrote:


The problem is that if I capture with wireshark a trace from my eth0
connection and I save it as a "Wireshark/tcpdump/...-libpcap" file. Then
when I run the sniffer with this pcap trace the sniffer runs properly. But if I open a .erf trace from a DAG card with wireshark and I save it 
as a "Wireshark/tcpdump/...-libpcap" when I run this trace in the
sniffer no packets are dispatched.
When read an ERF trace, save it with a recent build of Wireshark as a libpcap-format file, and run a (slightly modified, so it compiles) version of your program, it prints 

	Error compilando el filtro 'ip'

without even trying to read the file.
Recent versions of Wireshark save ERF files as libpcap files with a packet type of DLT_ERF, and the filter compiler in libpcap doesn't support DLT_ERF. 

I wonder if that is the best approach? On the plus side it avoids losing
information such as timestamp precision, but on the downside it is not
widely interoperable.

If the user's purpose in saving to libpcap format is to use the file
with another program then saving to DLT_ERF may not be useful.

When you save a capture in libpcap format Wireshark doesn't prompt you
for which DLT to use? How does it decide which DLT is appropriate?

Stephen
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube