Hi Aaron,
thanks for the fix. I have committed it (with whitespace changes).
Best regards
Michael
On May 22, 2009, at 12:48 AM, Aaron Turner wrote:
Looks like there was a bug where WTAP codes weren't being properly
converted to DLT types and since ethernet == ethernet, that worked,
but most everything else didn't.
I've attached a patch which I've tested with HDLC, 802.11, 802.11 w/
radio headers and Juniper Ethernet. The first three work just fine,
but Wireshark isn't properly decoding the Juniper Ethernet pcapng file
even though it appears correctly formatted:
0000000: 0a0d 0d0a 1c00 0000 4d3c 2b1a 0100 0000 ........M<+.....
0000010: ffff ffff ffff ffff 1c00 0000 0100 0000 ................
0000020: 1400 0000 b200 0000 dc05 0000 1400 0000 ................
0000030: 0600 0000 8400 0000 0100 0000 2f69 0400 ............/i..
0000040: d61a b423 6400 0000 6400 0000 4d47 4380 ...#d...d...MGC.
As you can see at offset 0x24-25, the encoded DLT is 178 which is
Juniper Ethernet, but capinfos/Wireshark is returning Unknown. I
haven't bothered to track down why wireshark (latest 1.1.x from svn)
handles this for pcap but not pcapng.
Side note: I thought wireshark coding standard was to uses spaces and
not tabs, but pcapng.c seemed to be tabbed so I maintained that. If
someone wants me to do differently, let me know.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for
Unix & Windows
Those who would give up essential Liberty, to purchase a little
temporary
Safety, deserve neither Liberty nor Safety.
-- Benjamin Franklin
On Thu, May 21, 2009 at 1:39 PM, Aaron Turner <synfinatic@xxxxxxxxx>
wrote:
On Thu, May 21, 2009 at 1:06 PM, Michael Tüxen
<Michael.Tuexen@xxxxxxxxxxxxxxxxx> wrote:
Hi Aaron,
I see what you mean. I'm using pcapio.[ch] in dumpcap,
so I'm using WTAP_ENCAP_PER_PACKET...
Can you file a bug report at https://bugs.wireshark.org/bugzilla/
such that it does not get forgotten. Please describe
what you want to get working (possibly providing the
input file). Then it does not get lost.
I will look at it after finishing the capturing support,
if no one else takes the issue earlier.
Well looks like it was more work then I thought... converting from
pcap to pcapng looses the ecapsulation type for some reason (at least
with my HDLC test). I'm going to see if I can dig around and figure
out what's going on.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for
Unix & Windows
Those who would give up essential Liberty, to purchase a little
temporary
Safety, deserve neither Liberty nor Safety.
-- Benjamin Franklin
<pcapng-
export
.patch
>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
