On Jul 22, 2010, at 10:23 AM, DePriest, Jason R. wrote:
> Why does the problem only affect the dev versions of Wireshark?
Because in 1.2.x, Wireshark ignored the per-packet encapsulation field in newer file formats, whereas, in 1.3.x/1.4.x, it doesn't. There are some files, and some packets, that can't be correctly handled if the per-packet encapsulation field is ignored (e.g., the frames where NetMon stores information about the capture).
Microsoft's documentation on the file format doesn't mention the possibility of a frame type being 0, so either
1) the documentation is incomplete
or
2) there's a bug and the frame type is being fetched from the wrong location.
We'd need a capture file to distinguish between 1) and 2) to test a fix. (I'll ask Paul Long of the NetMon group if there's a case where, for example, the per-packet type will be 0.)