https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16420
Bug ID: 16420
Summary: Exported PDU pcapng not readable by libpcap
Product: Wireshark
Version: 3.2.0
Hardware: x86
OS: Fedora
Status: UNCONFIRMED
Severity: Minor
Priority: Low
Component: Capture file support (libwiretap)
Assignee: bugzilla-ad...@wireshark.org
Reporter: j...@wizmail.org
Target Milestone: ---
Created attachment 17656
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17656&action=edit
sample problem file
Build Information:
Version 3.2.0 (Git commit e0ed4cfa3d72)
Copyright 1998-2019 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html> This is free software; see the
source for copying conditions. There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.12.5, with libpcap, with POSIX capabilities
(Linux), with libnl 3, with GLib 2.62.3, with zlib 1.2.11, with SMI 0.4.8, with
c-ares 1.15.0, with Lua 5.1.5, with GnuTLS 3.6.11 and PKCS #11 support, with
Gcrypt 1.8.5, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.39.2,
without brotli, without LZ4, without Zstandard, without Snappy, without
libxml2, with QtMultimedia, with SpeexDSP (using bundled resampler), without
SBC, without SpanDSP, without bcg729.
Running on Linux 5.5.5-200.fc31.x86_64, with Intel(R) Core(TM) i7-6820HQ CPU @
2.70GHz (with SSE4.2), with 15872 MB of physical memory, with locale
LC_CTYPE=en_US.utf8, LC_NUMERIC=en_US.utf8, LC_TIME=en_GB,
LC_COLLATE=en_US.utf8, LC_MONETARY=en_US.utf8, LC_MESSAGES=en_US.utf8,
LC_PAPER=en_US.utf8, LC_NAME=en_US.utf8, LC_ADDRESS=en_US.utf8,
LC_TELEPHONE=en_US.utf8, LC_MEASUREMENT=en_US.utf8,
LC_IDENTIFICATION=en_US.utf8, with light display mode, without HiDPI, with
libpcap version 1.9.1 (with TPACKET_V3), with GnuTLS 3.6.11, with Gcrypt 1.8.5,
with zlib 1.2.11, binary plugins supported (15 loaded). Built using gcc 9.2.1
20190827 (Red Hat 9.2.1-1).
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and https://www.wireshark.org for more information.
--
[Component for the bug could be wrong; please update as needed]
Having used File/Export_PDUs_to_File.. (OSI Level 3) followed by
Export_Specified_Packets, the resulting .pcapng (or .pcap) is not readable
by a utility build with libpcap-14:1.9.1-1.fc31.x86_64 on Fedora 31.
The utility uses pcap_dispatch() with a callback function using
pcal_datalink();
the latter returns a value 252 - which is not documented as one of the
possible return values per https://www.tcpdump.org/linktypes.html
( linked from https://www.tcpdump.org/manpages/pcap_datalink.3pcap.html ).
The Wireshark "packet details" pane shows the dissection sequence as
- Frame
- EXPORTED_PDU
- Internet Protocol Version 4
- Transmission Control Protocol
(and wireshark itself is perfectly happy with reading the file it had written).
So the need is one of
- a way of writing a pcap file that older libpcap-based utilities understand,
presumably by stripping the EXPORTED_PDU layer
- an update to libpcap, to invisibly handle the new pcap file format
- documentation on the new coding pattern required for utilities to handle the
new file format. This would suffice for my immediate need as I am the
maintainer for this utility
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
