Wireshark-bugs: [Wireshark-bugs] [Bug 7381] pcapng - mergecap generates unusable file if interfa

Date: Tue, 10 Jul 2012 21:15:59 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7381

--- Comment #8 from Guy Harris <guy@xxxxxxxxxxxx> 2012-07-10 21:15:57 PDT ---
As of rev 43657, instead of generating unreadable files, mergecap should report
"mergecap: Error writing to outfile: Internal error".

I'll work on actually *fixing* it, but that's a bigger change.

What mergecap needs to do, when writing packets in a file format that supports
interface information (currently, we only support it for pcap-ng) is, for all
input files that have interface information, build a "merged" interface list
for all the interfaces, *regardless* of whether any packets were captured on
them or not.  For input files that *don't* have interface information, it
should create "fake" interfaces.

The simplest technique is to just build a list that includes *all* the
interfaces and a fake interface for each link-layer type that appears in the
input files that don't have interface information.

However, in some cases, this could result in packets that were, in fact,
captured on the *same* interface being reported as coming from *different*
interfaces that happen to have the same name.  Consider, for example, using
mergecap to append a capture done on a machine's "en0" interface to another
capture done on the same machine's "en0" interface.

So one alternative would be to merge all interfaces that have the same
link-layer type and the same values for all options.  This could, in theory,
result in interfaces that *shouldn't* be merged being merged anyway; adding an
additional IDB option for the host name of the machine on which the capture is
being done (if you're doing an rpcap or other remote capture, this would be the
name of the machine running the capture program, *not* the remote machine with
the interface - that machine's host name would be in the interface name, as
that would be the URL used) would probably prevent most if not all of those.

For fake interfaces, we should probably create one for each link-layer
type/snapshot length pair seen in the files that don't have interface
information, those being the only bits of information that can be supplied for
fake interfaces (well, with the exception of the time stamp resolution, but
getting that for fake interfaces requires us to fetch that from Wiretap for the
opened files, which is a project for the future).

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.