[Anders Broman <a.broman@xxxxxxxxxxxx>]

Matthias Lang skrev 2013-12-18 13:46:
> Hi,
>
> Summary: I've stumbled on some unexpected details in how wireshark and
>           tshark handle PCap-NG. I'm not sure if they're bugs or
> 	 insufficient RTFM, so I thought I'd run them by here before
> 	 submitting bugs.
>
> --------------------
>
> I've checked out revision 54142 from subversion and built it on a
> Debian AMD64 box. I.e. I think I'm looking at fresh code on a sane system.
>
> 1. The manpage (tshark.pod) for 'tshark' says reading from stdin isn't
>     allowed. But it actually works fine. Manpage says:
>
>      | =item -r  E<lt>infileE<gt>
>      |
>      | Read packet data from I<infile>, can be any supported capture file format
>      | (including gzipped files).  It's B<not> possible to use named pipes
>      | or stdin here!
>
>     Here's what happens, i.e. it works just fine:
>
>        >cat /tmp/dumpcap.pcapng | ./tshark -r -
>        0 0.000000000 0  192.168.1.3 -> 255.255.255.255 UDP 211 ...
>        0 0.000027000 0  192.168.1.3 -> 255.255.255.255 UDP 235 ...
>
>     And reading from a named pipe works fine too:
>
>        >mkfifo /tmp/a_named_pipe
>        >cat /tmp/dumpcap.pcapng > /tmp/a_named_pipe &
>        >./tshark -r /tmp/a_named_pipe
>        0 0.000000000 0  192.168.1.3 -> 255.255.255.255 UDP 211 ...
>
>     I figure this can be fixed by just removing the word "not" from the
>     manpage.
>
>     Q: Ok if I submit a diff for my rewording?

Yes
> 2. tshark.pod says
>
>     | B<TShark>'s native capture file format is B<pcap> format
>
>     It might help someone if it said "B<Pcap-NG>". I'm not sure if
>     Pcap-NG is considered a separate format or a new version. It feels
>     like a separate format to me since it's totally incompatible.
>
>     Q: Ok if I submit a diff for my rewording?
Yes
> 3. Wireshark can read a Pcap from stdin, but not Pcap-NG.
>
>     The following works fine:
>
>        >./wireshark -r /tmp/dumpcap.pcapng
>
>     But the following gets me a "Unrecognized libpcap format" dialog box:
>
>        >./wireshark -k -i - < /tmp/dumpcap.pcapng
>
>     I get the same dialog box if I do this:
>
>        >cat /tmp/dumpcap.pcapng > /tmp/a_named_pipe  &
>        >wireshark -k -i /tmp/a_named_pipe
>
>     But this works fine:
>
>        >./tshark -r /tmp/dumpcap.pcapng -F pcap -w - | ./wireshark -k -i -
>
>     Q: is there a switch I'm missing or is this a bug?
Bug or not yet implemented, open a bug.
> 4. The wireshark wiki says "if_tsresol" is supported, but only for
>     values 6 (microseconds) and 9 (nanoseconds).
>
>     Wireshark is better than that.
>
>     I verified that 0, 1, 2 and 3 (seconds, tenths of seconds,
>     hundreths, milliseconds) work in both tshark and
>     wireshark. milliseconds are important to me because the Pcap-NG
>     files I generate have millisecond timestamps.
>
>     I suspect all values work. I'm not good enough at subversion to
>     figure out since when. It might be commit r41455.
>
>     Wiki: http://wiki.wireshark.org/Development/PcapNg
>
>     Q: Ok if I edit the wiki to just say that it works? i.e. without
>        the limitation?
Yes
> 5. If an IDB in a Pcap-NG file contains both 'if_name' and
>     'if_description', wireshark only seems to display the
>     if_description; I can't figure out a way to see the name.
>
>     The way I see the 'if_name' is to open the file and go in to
>     'Statistics/Summary'.
>
>     Here's an example of each type of file:
>
>     if_name: http://corelatus.se/~matthias/if_name_only.pcapng
>     if_name and if_description: http://corelatus.se/~matthias/if_name_and_description.pcapng
>
>     And here's a screenshot of the "good" case, i.e. when you only
>     have the if_name field:
>
>     http://blog.corelatus.com/static/pcap_ng_wireshark_summary_screenshot.png
>
>     I generated the Pcap-NG file, so it's possible I've stuffed up and
>     made a file that's somehow invalid. But it looks fine to me.
>
>     Q: Can I report this as a bug? (Or is it deliberate?)
Bug or not yet implemented open a bug and include your test file.
> 6. I can't figure out a way to display the interface _name_ in
>     the Wireshark packet detail pane. Here's a screenshot where I've
>     got the interface _number_ displayed:
>
>     http://blog.corelatus.com/static/pcap_ng_wireshark_screenshot.png
>
>     I found an earlier discussion about this:
>
>     http://www.wireshark.org/lists/wireshark-users/201206/msg00082.html
>
>     Q: Is there a way to get at "frame.interface_name"? Both for display
>        and filtering. (last time, the answer was "not yet")
>
>     Q: Same question for tshark.
Probebly not yet implemented open a bug so it won't be forgotten.
> Background: I work with signalling on SS7 (telecom) networks. One
> hardware capture device can capture signalling from hundreds of
> interfaces.
>
> Being able to view, filter and sort packets captured on multiple
> interfaces is really useful, so I implemented support for writing
> PCap-NG files instead of classic PCap. And now I'm exploring what
> I can do with the result in Wireshark and tshark.
>
> Matt
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>               mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe