Wireshark-bugs: [Wireshark-bugs] [Bug 6260] Saving ERF files.

Date: Thu, 1 Sep 2011 23:18:12 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6260

Stephen Donnelly <stephen@xxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |stephen@xxxxxxxxxx

--- Comment #12 from Stephen Donnelly <stephen@xxxxxxxxxx> 2011-09-01 23:18:10 PDT ---
(In reply to comment #9)
Sounds like it is a bit tricky, we might leave that one with you?

(In reply to comment #10)
> Should the added crc be recognized as one?  Right now it shows as a ethernet
> trailer in all my captures saved as erf (including the sample ERF file
> provided here).

We will look into that, I presume the ETH dissector should be detecting and
displaying it as a FCS/CRC rather than a trailer. Perhaps it should have a
'verify FCS' preference/expert infos as well similar to other protocol checksum
checking?

(In reply to comment #11)
> The ERF dissector has a preference to indicate whether the packet has an FCS or
> not.  I infer, perhaps incorrectly, that this means that, in ERF files,
> Ethernet packets don't necessarily have an FCS.
> 
> If that's not true and has never been true - i.e., if no ERF capture file has
> *ever*, in the history of the ERF file format, had Ethernet packets without an
> FCS - the preference should be eliminated and the ERF dissector should always
> call the "eth_withfcs" dissector, which skips the "does this packet look as if
> it has an FCS" heuristic and always treats the last 4 octets of the packet as
> an FCS.

There are ERF Ethernet files that have no FCS. Almost all of these are files
that have been converted to ERF from pcap files lacking FCS, and no synthetic
FCS was added.

Current DAG cards always capture the FCS, although some models a few years ago
had an option to strip it.

> If that *is* true, then:
> 
>     1) the preference should still be there;

Agreed.

>     2) other software that handles ERF files has to be able to deal with it, so
> there's no need to add a synthesized FCS to the packet;

Because it is a rare case not all other software handles it, and if it does it
is not automatic. 'Normal' ERF files do include the FCS, and files without are
a manual exception, so supporting 'with-FCS' is much preferred.

By adding the FCS by default we are reducing the chance of users encountering
files without FCS, rather than excaberating the problem.

>     3) you should set that preference to see the last 4 octets treated as an
> FCS.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.