Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] PCap-NG support in Wireshark and Tshark

From: Matthias Lang <wireshark@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 18 Dec 2013 13:46:31 +0100
Hi,

Summary: I've stumbled on some unexpected details in how wireshark and
         tshark handle PCap-NG. I'm not sure if they're bugs or
	 insufficient RTFM, so I thought I'd run them by here before
	 submitting bugs.

--------------------

I've checked out revision 54142 from subversion and built it on a
Debian AMD64 box. I.e. I think I'm looking at fresh code on a sane system.

1. The manpage (tshark.pod) for 'tshark' says reading from stdin isn't
   allowed. But it actually works fine. Manpage says:

    | =item -r  E<lt>infileE<gt>
    |
    | Read packet data from I<infile>, can be any supported capture file format
    | (including gzipped files).  It's B<not> possible to use named pipes
    | or stdin here!

   Here's what happens, i.e. it works just fine:

      >cat /tmp/dumpcap.pcapng | ./tshark -r -
      0 0.000000000 0  192.168.1.3 -> 255.255.255.255 UDP 211 ...
      0 0.000027000 0  192.168.1.3 -> 255.255.255.255 UDP 235 ...

   And reading from a named pipe works fine too:

      >mkfifo /tmp/a_named_pipe
      >cat /tmp/dumpcap.pcapng > /tmp/a_named_pipe &
      >./tshark -r /tmp/a_named_pipe
      0 0.000000000 0  192.168.1.3 -> 255.255.255.255 UDP 211 ...

   I figure this can be fixed by just removing the word "not" from the
   manpage.

   Q: Ok if I submit a diff for my rewording?

2. tshark.pod says

   | B<TShark>'s native capture file format is B<pcap> format

   It might help someone if it said "B<Pcap-NG>". I'm not sure if
   Pcap-NG is considered a separate format or a new version. It feels
   like a separate format to me since it's totally incompatible.

   Q: Ok if I submit a diff for my rewording?

3. Wireshark can read a Pcap from stdin, but not Pcap-NG.

   The following works fine:

      >./wireshark -r /tmp/dumpcap.pcapng

   But the following gets me a "Unrecognized libpcap format" dialog box:

      >./wireshark -k -i - < /tmp/dumpcap.pcapng

   I get the same dialog box if I do this:

      >cat /tmp/dumpcap.pcapng > /tmp/a_named_pipe  &
      >wireshark -k -i /tmp/a_named_pipe

   But this works fine:

      >./tshark -r /tmp/dumpcap.pcapng -F pcap -w - | ./wireshark -k -i -

   Q: is there a switch I'm missing or is this a bug?

4. The wireshark wiki says "if_tsresol" is supported, but only for
   values 6 (microseconds) and 9 (nanoseconds).

   Wireshark is better than that.

   I verified that 0, 1, 2 and 3 (seconds, tenths of seconds,
   hundreths, milliseconds) work in both tshark and
   wireshark. milliseconds are important to me because the Pcap-NG
   files I generate have millisecond timestamps.

   I suspect all values work. I'm not good enough at subversion to
   figure out since when. It might be commit r41455.

   Wiki: http://wiki.wireshark.org/Development/PcapNg

   Q: Ok if I edit the wiki to just say that it works? i.e. without
      the limitation?


5. If an IDB in a Pcap-NG file contains both 'if_name' and
   'if_description', wireshark only seems to display the
   if_description; I can't figure out a way to see the name.

   The way I see the 'if_name' is to open the file and go in to
   'Statistics/Summary'.

   Here's an example of each type of file:

   if_name: http://corelatus.se/~matthias/if_name_only.pcapng
   if_name and if_description: http://corelatus.se/~matthias/if_name_and_description.pcapng

   And here's a screenshot of the "good" case, i.e. when you only
   have the if_name field:

   http://blog.corelatus.com/static/pcap_ng_wireshark_summary_screenshot.png

   I generated the Pcap-NG file, so it's possible I've stuffed up and
   made a file that's somehow invalid. But it looks fine to me.

   Q: Can I report this as a bug? (Or is it deliberate?)

6. I can't figure out a way to display the interface _name_ in
   the Wireshark packet detail pane. Here's a screenshot where I've
   got the interface _number_ displayed:

   http://blog.corelatus.com/static/pcap_ng_wireshark_screenshot.png

   I found an earlier discussion about this:

   http://www.wireshark.org/lists/wireshark-users/201206/msg00082.html

   Q: Is there a way to get at "frame.interface_name"? Both for display
      and filtering. (last time, the answer was "not yet")

   Q: Same question for tshark.


Background: I work with signalling on SS7 (telecom) networks. One
hardware capture device can capture signalling from hundreds of
interfaces.

Being able to view, filter and sort packets captured on multiple
interfaces is really useful, so I implemented support for writing
PCap-NG files instead of classic PCap. And now I'm exploring what
I can do with the result in Wireshark and tshark.

Matt