Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: [Wireshark-dev] tshark --export-objects : -2 assumed or required for two-pass ?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: chuck c <bubbasnmp@xxxxxxxxx>
Date: Mon, 10 Aug 2020 16:30:42 -0500
tshark --export-objects dicom is behaving differently than exporting Dicom objects in Wireshark.

Is the "-2" option assumed to be set, observed if set or not used at all for exporting objects with tshark?

I think a two-pass is needed to set the is_storage flag properly which is used below:

    if (pdv->is_storage &&
        pdv_curr->sop_class_uid    && strlen(pdv_curr->sop_class_uid)>0 &&
        pdv_curr->sop_instance_uid && strlen(pdv_curr->sop_instance_uid)>0) {

        sop_class_uid = wmem_strdup(wmem_packet_scope(), pdv_curr->sop_class_uid);
        sop_instance_uid = wmem_strdup(wmem_packet_scope(), pdv_curr->sop_instance_uid);

        /* Make sure filename does not contain invalid character. Rather conservative.
           Even though this should be a valid DICOM UID, apply the same filter rules
           in case of bogus data.
        */
        filename = wmem_strdup_printf(wmem_packet_scope(), "%06d-%d-%s.dcm", pinfo->num, cnt_same_pkt,
            g_strcanon(pdv_curr->sop_instance_uid, G_CSET_A_2_Z G_CSET_a_2_z G_CSET_DIGITS "-.", '-'));
    }
    else {
        /* No SOP Instance or SOP Class UID found in PDV. Use wireshark ones */

        sop_class_uid = wmem_strdup(wmem_packet_scope(), WIRESHARK_MEDIA_STORAGE_SOP_CLASS_UID);
        sop_instance_uid = wmem_strdup_printf(wmem_packet_scope(), "%s.%d.%d",
            WIRESHARK_MEDIA_STORAGE_SOP_INSTANCE_UID_PREFIX, pinfo->num, cnt_same_pkt);

        /* Make sure filename does not contain invalid character. Rather conservative.*/
        filename = wmem_strdup_printf(wmem_packet_scope(), "%06d-%d-%s.dcm", pinfo->num, cnt_same_pkt,
            g_strcanon(pdv->desc, G_CSET_A_2_Z G_CSET_a_2_z G_CSET_DIGITS "-.", '-'));

    }


Diff showing with and without the "-2" flag used on tshark.
Test pcap is attached here: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13570


683c683
<   683 9.254460000 9.254460000 165.226.144.126 1514 ·······A···· 0x010 0x2bb0 65004  P-DATA, PDV Fragment [TCP segment of a reassembled PDU]
---
>   683 9.254460000 9.254460000 165.226.144.126 1514 ·······A···· 0x010 0x2bb0 65004  P-DATA, Secondary Capture Image Storage Fragment (reassembled in #2804) [TCP segment of a reassembled PDU]
716c716
<   716 9.257150900 9.257150900 165.226.144.126 1362 ·······AP··· 0x018 0x4630 65004  P-DATA, PDV Fragment
---
>   716 9.257150900 9.257150900 165.226.144.126 1362 ·······AP··· 0x018 0x4630 65004  P-DATA, Secondary Capture Image Storage Fragment (reassembled in #2804)


Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube