[Wireshark-bugs] [Bug 16573] New: Mergecap outputs a pcapng that tcpdump rejects as invalid

Wed, 20 May 2020 08:23:44 -0700 

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16573

            Bug ID: 16573
           Summary: Mergecap outputs a pcapng that tcpdump rejects as
                    invalid
           Product: Wireshark
           Version: 3.2.4
          Hardware: x86
                OS: macOS 10.15
            Status: UNCONFIRMED
          Severity: Major
          Priority: Low
         Component: Extras
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: p...@brimsecurity.com
  Target Milestone: ---

Build Information:
$ mergecap --version
Mergecap (Wireshark) 3.2.4 (v3.2.4-0-g893b5a5e1e3e)

Copyright 1998-2020 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.37.6, with zlib 1.2.11.

Running on Mac OS X 10.15.4, build 19E287 (Darwin 19.4.0), with Intel(R)
Core(TM) i7-8850H CPU @ 2.60GHz (with SSE4.2), with 16384 MB of physical
memory,
with locale C, with zlib 1.2.11, binary plugins supported (0 loaded).

Built using clang 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.16).

--
No doubt there's smaller pcaps that could be used to repro this, but these are
the publicly-available ones that I know do the trick:

http://mawi.wide.ad.jp/mawi/samplepoint-F/2015/201508051400.dump.gz
https://download.netresec.com/pcap/maccdc-2011/maccdc2011_00010_20110312194033.pcap.gz
https://download.netresec.com/pcap/maccdc-2011/maccdc2011_00013_20110312202724.pcap.gz

Now I uncompress and mergecap them into pcapng and pcap variants:

$ mergecap -w merged.pcapng 201508051400.dump
maccdc2011_00010_20110312194033.pcap maccdc2011_00013_20110312202724.pcap
$ mergecap -F pcap -w merged.pcap 201508051400.dump
maccdc2011_00010_20110312194033.pcap maccdc2011_00013_20110312202724.pcap

When I try to read the pcapng variant with tcpdump, it's rejected as invalid:

$ tcpdump -r merged.pcapng
reading from PCAP-NG file merged.pcapng
tcpdump: pcap_loop: invalid packet capture length 260, bigger than snaplen of
96

There's no complaints about the regular pcap variant, however.

FWIW, tshark doesn't seem to reject it, so I guess it's tolerant of the root
cause. However what led me to try tcpdump was that another libpcap-dependent
tool (Zeek) also choked on the pcapng variant. So assuming mergecap is truly
outputting something it shouldn't, it'd be great to address that.

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

Reply via email to