Wireshark-dev: Re: [Wireshark-dev] writing non-Ethernet pcapng files

From: Michael Tüxen <Michael.Tuexen@xxxxxxxxxxxxxxxxx>
Date: Fri, 22 May 2009 16:30:53 +0200
Hi Tyson,

1.0.7 does only support one section header and one interface header at the beginning of the pcapng file. The current svn version, allows one section
header at the beginning and multiple interface headers, but not multiple
sections headers. Basically, Wireshark (the svn version) can currently
only read pcapng files containing one section. That is the reason why
you can not just concatenate several pcapng files and read the resulting file. So it is not a limitation of pcapng, but of its current implementation in Wireshark.

Best regards
Michael

On May 22, 2009, at 1:27 PM, Tyson Key wrote:

Hi.
Out of interest, are there supposed to be issues with Ethernet Pcap- NG files/packets appended to other Pcap-NG files generated with Wireshark 1.0.7 having an unrecognised link type in later (SVN) versions of Wireshark? At the same time, it seems that 1.0.7 has issues reading packets in Pcap-NG files from later versions (i.e. it'll try to recognise a few frames, and if the link type is Ethernet, show them in the packet pane, but it'll complain about a decompression error when trying to view them, or it'll just show one packet with an unknown link type (usally 0 or 113 here), depending on how packets were combined).

I've attached some samples for reference.

Thanks,
Tyson.

On Fri, May 22, 2009 at 6:35 AM, Ulf Lamping <ulf.lamping@xxxxxx> wrote:
Aaron Turner schrieb:
> On Thu, May 21, 2009 at 12:20 PM, Michael Tüxen
> <Michael.Tuexen@xxxxxxxxxxxxxxxxx> wrote:
>> On May 21, 2009, at 9:15 PM, Aaron Turner wrote:
>>
>>> On Thu, May 21, 2009 at 11:55 AM, Michael Tüxen
>>> <Michael.Tuexen@xxxxxxxxxxxxxxxxx> wrote:
>>>> Hi Aaron,
>>>>
>>>> can you check also with the latest svn version?
>>> This was trunk-1.0 r28436.  Are you working in trunk (wireshark
>>> 1.1.x)?
>> Yes, I'm working in 1.1.x...
>
>
> I just looked at the lastest trunk, and it too hard codes only
> ethernet as supported:
>
> from wiretap/pcapng.c pcapng_dump_can_write_encap():
>
>       /* XXX - for now we only support Ethernet */
>       if (encap != WTAP_ENCAP_ETHERNET)
>               return WTAP_ERR_UNSUPPORTED_ENCAP;
>

Hi!

This comment is from the time when I started to experimentally implement
pcapng.

This was only a rough prototype at that time and as I'm personally only
using Ethernet, I've only implemented the absolutely necessary stuff.

It's very long ago so I can't remember if there are any further problems
with anything else then Ethernet.

Seems that you're the first one trying to use it in this way ...

Regards, ULFL
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe



--
Fight Internet Censorship! http://www.eff.org
              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon | +447549728105 < Cooked_DC28436 -107_Ethernet_Concat .ntar > < Cooked_Dumpcap_SVN_28436 .ntar > < Ethernet_Dumpcap_SVN_28436 .ntar > < Ethernet_Wireshark_1.0.7 .ntar > ___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe