Bug#703563: tshark: uses wrong default output format, and cannot change output format

Wed, 20 Mar 2013 17:12:16 -0700 

Hi Lucas,

2013/3/20 Lucas Nussbaum <[email protected]>:
> Package: tshark
> Version: 1.8.2-5wheezy1
> Severity: important
>
> Hi,
>
> tshark's man page says:
>    When writing packets to a file, TShark, by default, writes the file
>    in libpcap format [..]
> and also says:
>    -F  <file format>
>        Set the file format of the output capture file written using the
>        -w option.  The output written with the -w option is raw packet
>        data, not text, so there is no -F option to request text output.
>        The option -F without a value will list the available formats.
Please note that it also says:
...
       When writing packets to a file, TShark, by default, writes the
file in libpcap
       format, and writes all of the packets it sees to the output file.  The -F
       option can be used to specify the format in which to write the
file.  This list
       of available file formats is displayed by the -F flag without a value.
       However, you can't specify a file format for a live capture.


>
>
> However:
> 1) tshark uses the pcap-ng format, not the libpcap format.
> 2) the -F switch does not work.
>
> The problem can be produced with:
>
> $ sudo tshark -i lo -w - > f ; file f
> [..]
> f: pcap-ng capture file - version 1.0
>
> $ sudo tshark -F libpcap -i lo -w - > f ; file f
> [..]
> f: pcap-ng capture file - version 1.0
>
> In both cases, I would expect tshark to use the libpcap format, like
> tcpdump:
> $ sudo tcpdump -i lo -w - > f ; file f
> [..]
> f: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture 
> length 65535)
Please use dumpcap -P instead. From man dumpcap:

       -P  Save files as pcap instead of the default pcap-ng. In situations that
           require pcap-ng, such as capturing from multiple
interfaces, this option
           will be overridden.


>
>
> The version in experimental (1.9.1-1) is also affected.
> The version in squeeze is not affected.
>
>
> This breaks the "use tshark or dumpcap as a remote probe over SSH" use
> case described in http://wiki.wireshark.org/CaptureSetup/Pipes :
> $ wireshark -k -i <( ssh root@host tshark -i eth0 -w -)
Please use dumpcap -P instead in this scenario, it is expected to work.

Cheers,
Balint


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to