Wireshark · Wireshark-dev: Re: [Wireshark-dev] Tshark closing unexpectedly due to failure reading from file

[James Ko <jck@xxxxxxxxxx>]

Thanks Guy.

That was my analysis since my last email as well.  I just hadn't come up with a fix. ;-)

I just have one question about the fix.. Is it okay to send multiple SP_FILE indications on the same file?

If the pcapng stream inserts a new SHB to start a new section does dumpcap restart with a new temp file or does it continue with passthrough on the same file?

We do appreciate the attention given to this problem and the quick fix.

Cheers,

James

On Fri, Nov 20, 2020 at 12:37 AM Guy Harris <gharris@xxxxxxxxx> wrote:

On Nov 19, 2020, at 9:07 PM, Alastair Scott <ads@xxxxxxxxxx> wrote:

> Do you know where in the code base I could look for a potential remedy to this issue? I'm trying to find a place to add a delay to ensure the read does not come early.

What needs to be delayed is the sending of the SP_FILE message from dumpcap to TShark/Wireshark when in "pcapng passthrough" mode.  See merge request !977:

        https://gitlab.com/wireshark/wireshark/-/merge_requests/977

which does exactly that, and my comment in issue #17013:

        https://gitlab.com/wireshark/wireshark/-/issues/17013#note_451496651
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe