Hi,

Summary: I've stumbled on some unexpected details in how wireshark and
tshark handle PCap-NG. I'm not sure if they're bugs or
insufficient RTFM, so I thought I'd run them by here before
submitting bugs.

--------------------

I've checked out revision 54142 from subversion and built it on a
Debian AMD64 box. I.e. I think I'm looking at fresh code on a sane system.

1. The manpage (tshark.pod) for 'tshark' says reading from stdin isn't
allowed. But it actually works fine. Manpage says:

| =item -r E<lt>infileE<gt>
|
| Read packet data from I<infile>, can be any supported capture file format
| (including gzipped files). It's B<not> possible to use named pipes
| or stdin here!
0 0.000000000 0 192.168.1.3 -> 255.255.255.255 UDP 211 ...
0 0.000027000 0 192.168.1.3 -> 255.255.255.255 UDP 235 ...
0 0.000000000 0 192.168.1.3 -> 255.255.255.255 UDP 211 ...

I figure this can be fixed by just removing the word "not" from the
manpage.

Q: Ok if I submit a diff for my rewording?

2. tshark.pod says

| B<TShark>'s native capture file format is B<pcap> format

It might help someone if it said "B<Pcap-NG>". I'm not sure if
Pcap-NG is considered a separate format or a new version. It feels
like a separate format to me since it's totally incompatible.

Q: Ok if I submit a diff for my rewording?

3. Wireshark can read a Pcap from stdin, but not Pcap-NG.
Q: is there a switch I'm missing or is this a bug?

4. The wireshark wiki says "if_tsresol" is supported, but only for
values 6 (microseconds) and 9 (nanoseconds).

Wireshark is better than that.

I verified that 0, 1, 2 and 3 (seconds, tenths of seconds,
hundreths, milliseconds) work in both tshark and
wireshark. milliseconds are important to me because the Pcap-NG
files I generate have millisecond timestamps.

I suspect all values work. I'm not good enough at subversion to
figure out since when. It might be commit r41455.

Wiki: http://wiki.wireshark.org/Development/PcapNg

Q: Ok if I edit the wiki to just say that it works? i.e. without
the limitation?


5. If an IDB in a Pcap-NG file contains both 'if_name' and
'if_description', wireshark only seems to display the
if_description; I can't figure out a way to see the name.

The way I see the 'if_name' is to open the file and go in to
'Statistics/Summary'.

Here's an example of each type of file:

if_name: http://corelatus.se/~matthias/if_name_only.pcapng
if_name and if_description: http://corelatus.se/~matthias/if_name_and_description.pcapng

And here's a screenshot of the "good" case, i.e. when you only
have the if_name field:

Loading Image...

I generated the Pcap-NG file, so it's possible I've stuffed up and
made a file that's somehow invalid. But it looks fine to me.

Q: Can I report this as a bug? (Or is it deliberate?)

6. I can't figure out a way to display the interface _name_ in
the Wireshark packet detail pane. Here's a screenshot where I've
got the interface _number_ displayed:

Loading Image...

I found an earlier discussion about this:

http://www.wireshark.org/lists/wireshark-users/201206/msg00082.html

Q: Is there a way to get at "frame.interface_name"? Both for display
and filtering. (last time, the answer was "not yet")

Q: Same question for tshark.


Background: I work with signalling on SS7 (telecom) networks. One
hardware capture device can capture signalling from hundreds of
interfaces.

Being able to view, filter and sort packets captured on multiple
interfaces is really useful, so I implemented support for writing
PCap-NG files instead of classic PCap. And now I'm exploring what
I can do with the result in Wireshark and tshark.

Matt
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe