http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1438
------- Comment #3 from j.pedro.fonseca@xxxxxxxxxxxxxxx 2007-03-15 10:44 GMT -------
(In reply to comment #2)
> As per
>
> http://www.wireshark.org/lists/wireshark-dev/200703/msg00219.html
>
> a better fix might be to add support to wiretap/erf.c for *writing* ERF files.
>
Writing ERF would solve the problem of editing files using mergecap, etc. But
I'm also feeding live captures through pipes (for example "mycapture | tshark
-i -"), and this requires the format of the stream to be libpcap.
> Also, as per that mail, how did any program allow you to write packets from
> that capture out into a libpcap file, if the file had untruncated AAL5 PDUs?
Mergecap: "mergecap -T atm-pdus -w out.pcap in.erf"
> There is no support for "best effort" conversion (and leaving the trailer in
> isn't a very good effort; the "best effort" would be to throw away the
> trailer).
>
Throwing away the trailer respects the agreed format. But the ATM dissector
will not be able to show the same info as in the ERF file... What's really
missing here is a DTM_SUNATM_UNTRUNCATED network type in libpcap. That way
"mergecap -T atm-pdus-untruncated -w out.pcap in.erf" would be possible, and
the conversion would be accurate and retain all information.
I will attach an example capture file (erf and pcap converted with mergecap)
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.