Bug ID |
10588
|
Summary |
tshark pdml output embeds "proto" elements within other "proto" elements
|
Product |
Wireshark
|
Version |
unspecified
|
Hardware |
x86
|
OS |
Linux (other)
|
Status |
UNCONFIRMED
|
Severity |
Normal
|
Priority |
Low
|
Component |
TShark
|
Assignee |
[email protected]
|
Reporter |
[email protected]
|
Created attachment 13180 [details]
Use with: tshark -T pdml -o 'uat:user_dlts:"User 0
(DLT=147)","rrc.dl.dcch","0","","0",""' -r embedded_proto_issue.pcap
Build Information:
TShark (Wireshark) 1.99.1 (v1.99.1rc0-226-g54dfe3b from master)
Copyright 1998-2014 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (32-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with libz 1.2.8, with GLib 2.40.0, without SMI, without c-ares, without ADNS,
with Lua 5.1, without GnuTLS, with Gcrypt 1.6.1, without Kerberos, without
GeoIP.
Running on Linux 3.14.22-fg.roam-amd, with locale en_GB.utf8, with libpcap
version 1.5.3, with libz 1.2.8, with Gcrypt 1.6.1.
Built using gcc 4.8.2.
--
When processing attached WCDMA RRC message with the following command:
tshark -T pdml -o 'uat:user_dlts:"User 0
(DLT=147)","rrc.dl.dcch","0","","0",""' -r embedded_proto_issue.pcap
tshark produces output that not only has "proto" elements as a direct children
of "packet", but also "proto" elements that are children of "field" elements,
in this particular case even proto-within-proto-within-proto (ipcp within
gsm_a.dtap within rrc).
It was confirmed in a comment here that it's likely to be a bug:
https://ask.wireshark.org/questions/8803/tshark-pdml-output-embeds-a-section-within-another-section
And certainly an unexpected (at least from reading README.xml-output) behavior
for me (expected only "field" elements all the way down from "proto"), which
might be worth documenting there.
pdml in my case (attached pcap) seem to be well-formed xml (despite original
question in the link above).
Was able to reproduce the issue on both tshark built from current git (as per
Build Information) and stable 1.12.1.
You are receiving this mail because:
- You are watching all bug changes.