Wireshark-dev: [Wireshark-dev] PCap-NG support in Wireshark and Tshark
From: Matthias Lang <wireshark@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 18 Dec 2013 13:46:31 +0100
Hi, Summary: I've stumbled on some unexpected details in how wireshark and tshark handle PCap-NG. I'm not sure if they're bugs or insufficient RTFM, so I thought I'd run them by here before submitting bugs. -------------------- I've checked out revision 54142 from subversion and built it on a Debian AMD64 box. I.e. I think I'm looking at fresh code on a sane system. 1. The manpage (tshark.pod) for 'tshark' says reading from stdin isn't allowed. But it actually works fine. Manpage says: | =item -r E<lt>infileE<gt> | | Read packet data from I<infile>, can be any supported capture file format | (including gzipped files). It's B<not> possible to use named pipes | or stdin here! Here's what happens, i.e. it works just fine: >cat /tmp/dumpcap.pcapng | ./tshark -r - 0 0.000000000 0 192.168.1.3 -> 255.255.255.255 UDP 211 ... 0 0.000027000 0 192.168.1.3 -> 255.255.255.255 UDP 235 ... And reading from a named pipe works fine too: >mkfifo /tmp/a_named_pipe >cat /tmp/dumpcap.pcapng > /tmp/a_named_pipe & >./tshark -r /tmp/a_named_pipe 0 0.000000000 0 192.168.1.3 -> 255.255.255.255 UDP 211 ... I figure this can be fixed by just removing the word "not" from the manpage. Q: Ok if I submit a diff for my rewording? 2. tshark.pod says | B<TShark>'s native capture file format is B<pcap> format It might help someone if it said "B<Pcap-NG>". I'm not sure if Pcap-NG is considered a separate format or a new version. It feels like a separate format to me since it's totally incompatible. Q: Ok if I submit a diff for my rewording? 3. Wireshark can read a Pcap from stdin, but not Pcap-NG. The following works fine: >./wireshark -r /tmp/dumpcap.pcapng But the following gets me a "Unrecognized libpcap format" dialog box: >./wireshark -k -i - < /tmp/dumpcap.pcapng I get the same dialog box if I do this: >cat /tmp/dumpcap.pcapng > /tmp/a_named_pipe & >wireshark -k -i /tmp/a_named_pipe But this works fine: >./tshark -r /tmp/dumpcap.pcapng -F pcap -w - | ./wireshark -k -i - Q: is there a switch I'm missing or is this a bug? 4. The wireshark wiki says "if_tsresol" is supported, but only for values 6 (microseconds) and 9 (nanoseconds). Wireshark is better than that. I verified that 0, 1, 2 and 3 (seconds, tenths of seconds, hundreths, milliseconds) work in both tshark and wireshark. milliseconds are important to me because the Pcap-NG files I generate have millisecond timestamps. I suspect all values work. I'm not good enough at subversion to figure out since when. It might be commit r41455. Wiki: http://wiki.wireshark.org/Development/PcapNg Q: Ok if I edit the wiki to just say that it works? i.e. without the limitation? 5. If an IDB in a Pcap-NG file contains both 'if_name' and 'if_description', wireshark only seems to display the if_description; I can't figure out a way to see the name. The way I see the 'if_name' is to open the file and go in to 'Statistics/Summary'. Here's an example of each type of file: if_name: http://corelatus.se/~matthias/if_name_only.pcapng if_name and if_description: http://corelatus.se/~matthias/if_name_and_description.pcapng And here's a screenshot of the "good" case, i.e. when you only have the if_name field: http://blog.corelatus.com/static/pcap_ng_wireshark_summary_screenshot.png I generated the Pcap-NG file, so it's possible I've stuffed up and made a file that's somehow invalid. But it looks fine to me. Q: Can I report this as a bug? (Or is it deliberate?) 6. I can't figure out a way to display the interface _name_ in the Wireshark packet detail pane. Here's a screenshot where I've got the interface _number_ displayed: http://blog.corelatus.com/static/pcap_ng_wireshark_screenshot.png I found an earlier discussion about this: http://www.wireshark.org/lists/wireshark-users/201206/msg00082.html Q: Is there a way to get at "frame.interface_name"? Both for display and filtering. (last time, the answer was "not yet") Q: Same question for tshark. Background: I work with signalling on SS7 (telecom) networks. One hardware capture device can capture signalling from hundreds of interfaces. Being able to view, filter and sort packets captured on multiple interfaces is really useful, so I implemented support for writing PCap-NG files instead of classic PCap. And now I'm exploring what I can do with the result in Wireshark and tshark. Matt
- Follow-Ups:
- Re: [Wireshark-dev] PCap-NG support in Wireshark and Tshark
- From: Anders Broman
- Re: [Wireshark-dev] PCap-NG support in Wireshark and Tshark
- From: Guy Harris
- Re: [Wireshark-dev] PCap-NG support in Wireshark and Tshark
- From: Guy Harris
- Re: [Wireshark-dev] PCap-NG support in Wireshark and Tshark
- Prev by Date: Re: [Wireshark-dev] BCD Decoding
- Next by Date: Re: [Wireshark-dev] Coding style and example dissector
- Previous by thread: Re: [Wireshark-dev] Coding style and example dissector
- Next by thread: Re: [Wireshark-dev] PCap-NG support in Wireshark and Tshark
- Index(es):