https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6937
--- Comment #3 from Anders Broman <anders.broman@xxxxxxxxxxxx> 2012-03-11 12:15:25 PDT ---
(In reply to comment #0)
> Build Information:
> TShark 1.7.1 (SVN Rev 41483 from /trunk)
> --
> Pcap-ng files created by Wiretap API based tools (tshark, editcap, and
> wireshark(?) at the moment) inherit the shb_userappl value from the source file
> and they shouldn't.
Why not? should SHB_USERAPPL show the application which wrote the actual file
or
the application which did the capture? I can se both having merrit.
If I have a capture file and add notes to it and re-save it having the original
SHB_USERAPPL would give me better information that it beeing overwritten by
Wireshark especially if the application is something other than dumpcap.
Same goes for splitting a file.
>
> Notes:
> * Most likely the source file has been created by dumpcap
> * Dumpcap pcapio API writes nul-terminated strings values to the pcapng file;
> the wiretap API doesn't; the files will differ (option length values,
> padding)
> even if the new one is a copy of first one.
Yes, is that a problem? why?
>
> Example:
>
> 1) dumpcap ... -w first.pcapng
> 2) tshark ... -r first.pcapng -w new.pcapng
> or
> editcap ... first.pcapng new.pcapng
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.