Wireshark mailing list archives
Dumpcap 2.x trouble
From: Jasper Bongertz <jasper () packet-foo com>
Date: Mon, 18 Apr 2016 19:37:30 +0200
Hi all, I noticed that captures taken with Wireshark 2.x (meaning, with dumpcap coming with those versions) showing unexpected results (see Glossary below for the abbreviations). With 1.12, the dumpcap version is written to the application option field in the SHB, and the OS build in the OS option field. Both values are omitted in 2.0.2 and later. As far as I can tell the OS is now written as option code 12 to the IDB instead, but the capture application is not found anywhere. And Wireshark does not show the IDB OS option anymore anywhere (yet?). I think losing the capture application is not a good idea, especially when we change behaviour of dumpcap all of a sudden: In the latest 2.1.x dev builds the start/end timestamp options (called isb_starttime and isb_endtime) for the ISB are written in the wrong order, as lo-hi values instead of hi-lo (like it is specified in the PCAPng specs) - in 2.0.2 they are written correctly (from my point of view, at least). I have to admit that the latest PCAPng specs are a confusing in this point though - they state "format as for the EHB" (which is Hi-Lo, clearly), but the examples for the options mentions "Little Endian" and is given in Lo-Hi order (which contradicts the EHB order). Frankly I don't see the point why we should do Lo-Hi now all of a sudden, as it makes it more complex to read PCAPng files from now on. There is no good way to tell how to read the timestamp values, especially with the capture application being unknown. Having to try-catch the values (meh!) to find the right order when dealing with PCAPng files after 2.1.x is released is a workaround at best. And we can't really depend on the capture application value even if it is present for this anymore. But maybe there's a good reason for that kind of change to the timestamp order I can't see right now? Short Glossary: SHB = Section Header Block IDB = Interface Description Block ISB = Interface Statistics Block Cheers, Jasper
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Dumpcap 2.x trouble Jasper Bongertz (Apr 18)
- Re: Dumpcap 2.x trouble Guy Harris (Apr 18)
- Re: Dumpcap 2.x trouble Guy Harris (Apr 18)
- Re: Dumpcap 2.x trouble Jasper Bongertz (Apr 19)
- Re: Dumpcap 2.x trouble Jasper Bongertz (Apr 19)
- Re: Dumpcap 2.x trouble Guy Harris (Apr 18)
- Re: Dumpcap 2.x trouble Guy Harris (Apr 18)