Wireshark-dev: Re: [Wireshark-dev] PCAP-NG Block Formats

From: Paul Offord <Paul.Offord@xxxxxxxxxxxx>
Date: Fri, 10 Jun 2016 15:43:00 +0000

OK – let’s hope it’s the doc.  The thing is, if there could be an optional Options block at the end of the EPB we will have to have the 4 byte endofopt otherwise a reader could interpret the trailing Total Block Length as an option block.  I suppose the standard could require that the reader keep track of the block size and then figure out if Options are included but that is pretty messy.

 

I’ll raise as a Wireshark bug and let’s see who screams.

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Graham Bloice
Sent: 10 June 2016 16:36
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] PCAP-NG Block Formats

 

 

 

On 10 June 2016 at 16:28, Paul Offord <Paul.Offord@xxxxxxxxxxxx> wrote:

Thanks Graham.

 

It’s good to be working with the correct doc.  It reads the same as the other doc and so I’m still confused.  I guess I’ll just copy the way that Wireshark does it.

 

Best regards…Paul

 

I think you should raise an issue, whether thats on the doc or wireshark I'm not sure.

 

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Graham Bloice
Sent: 10 June 2016 13:28
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] PCAP-NG Block Formats

 

 

 

On 10 June 2016 at 13:19, Paul Offord <Paul.Offord@xxxxxxxxxxxx> wrote:

I’m writing some code that produces PCAP-NG files that I subsequently read with Wireshark.  However, WS throws an error when I open the resulting file and it’s complaining about there not being enough data left in an Enhanced Packet Block to satisfy the stated size of an option.  I’ve think I know what’s wrong but it’s led me to a fundamental question.

 

In the documentation in https://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html section 3.3 the diagram shows that a variable length Options block can exist at the end of an Enhanced Packet Block.  I have assumed that if I don’t want to specify options I have to add an Option Code opt_endofopt and Option Length of zero at the point, which comes to four bytes 0x00000000.

 

That's obsolete documentation, try here: https://github.com/pcapng/pcapng 

 

I've no idea if that will explain the issue, but at least you'll then be using the same spec as the Wireshark code.

 

 

However, I’ve noticed that Wireshark generated traces don’t seem to do this.  All the examples I have looked at have two bytes of zeros, but this happens to align the end of the packet data on a 32-bit boundary and so I’m not sure if that’s the reason for the two bytes.

 

·        If I don’t want to add options to a packet, what should I add just prior to the trailing Block Total Length value?

·        Is this a Wireshark bug (writing incorrect format PCAP-NG files)?

 

Thanks and regards…Paul

 



 

 

 

--

Graham Bloice


______________________________________________________________________

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex CM24 1SJ

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________