Hi all,
I noticed that captures taken with Wireshark 2.x (meaning, with
dumpcap coming with those versions) showing unexpected results (see
Glossary below for the abbreviations).
With 1.12, the dumpcap version is written to the application option
field in the SHB, and the OS build in the OS option field. Both
values are omitted in 2.0.2 and later. As far as I can tell the OS
is now written as option code 12 to the IDB instead, but the capture
application is not found anywhere. And Wireshark does not show the
IDB OS option anymore anywhere (yet?). I think losing the capture
application is not a good idea, especially when we change behaviour
of dumpcap all of a sudden:
In the latest 2.1.x dev builds the start/end timestamp options
(called isb_starttime and isb_endtime) for the ISB are written in
the wrong order, as lo-hi values instead of hi-lo (like it is
specified in the PCAPng specs) - in 2.0.2 they are written
correctly (from my point of view, at least).
I have to admit that the latest PCAPng specs are a confusing in this
point though - they state "format as for the EHB" (which is Hi-Lo,
clearly), but the examples for the options mentions "Little Endian"
and is given in Lo-Hi order (which contradicts the EHB order).
Frankly I don't see the point why we should do Lo-Hi now all of a
sudden, as it makes it more complex to read PCAPng files from now
on. There is no good way to tell how to read the timestamp values,
especially with the capture application being unknown. Having to
try-catch the values (meh!) to find the right order when dealing
with PCAPng files after 2.1.x is released is a workaround at best.
And we can't really depend on the capture application value even if
it is present for this anymore.
But maybe there's a good reason for that kind of change to the
timestamp order I can't see right now?
Short Glossary:
SHB = Section Header Block
IDB = Interface Description Block
ISB = Interface Statistics Block
Cheers,
Jasper
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature