Hi Tyson, 1.0.7 does only support one section header and one interface header at the beginning of the pcapng file. The current svn version, allows one section header at the beginning and multiple interface headers, but not multiple sections headers. Basically, Wireshark (the svn version) can currently only read pcapng files containing one section. That is the reason why you can not just concatenate several pcapng files and read the resulting file. So it is not a limitation of pcapng, but of its current implementation in Wireshark.
Best regards Michael On May 22, 2009, at 1:27 PM, Tyson Key wrote: > Hi. > Out of interest, are there supposed to be issues with Ethernet Pcap- > NG files/packets appended to other Pcap-NG files generated with > Wireshark 1.0.7 having an unrecognised link type in later (SVN) > versions of Wireshark? At the same time, it seems that 1.0.7 has > issues reading packets in Pcap-NG files from later versions (i.e. > it'll try to recognise a few frames, and if the link type is > Ethernet, show them in the packet pane, but it'll complain about a > decompression error when trying to view them, or it'll just show one > packet with an unknown link type (usally 0 or 113 here), depending > on how packets were combined). > > I've attached some samples for reference. > > Thanks, > Tyson. > > On Fri, May 22, 2009 at 6:35 AM, Ulf Lamping <ulf.lamp...@web.de> > wrote: > Aaron Turner schrieb: > > On Thu, May 21, 2009 at 12:20 PM, Michael Tüxen > > <michael.tue...@lurchi.franken.de> wrote: > >> On May 21, 2009, at 9:15 PM, Aaron Turner wrote: > >> > >>> On Thu, May 21, 2009 at 11:55 AM, Michael Tüxen > >>> <michael.tue...@lurchi.franken.de> wrote: > >>>> Hi Aaron, > >>>> > >>>> can you check also with the latest svn version? > >>> This was trunk-1.0 r28436. Are you working in trunk (wireshark > >>> 1.1.x)? > >> Yes, I'm working in 1.1.x... > > > > > > I just looked at the lastest trunk, and it too hard codes only > > ethernet as supported: > > > > from wiretap/pcapng.c pcapng_dump_can_write_encap(): > > > > /* XXX - for now we only support Ethernet */ > > if (encap != WTAP_ENCAP_ETHERNET) > > return WTAP_ERR_UNSUPPORTED_ENCAP; > > > > Hi! > > This comment is from the time when I started to experimentally > implement > pcapng. > > This was only a rough prototype at that time and as I'm personally > only > using Ethernet, I've only implemented the absolutely necessary stuff. > > It's very long ago so I can't remember if there are any further > problems > with anything else then Ethernet. > > Seems that you're the first one trying to use it in this way ... > > Regards, ULFL > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe > > > > -- > Fight Internet Censorship! http://www.eff.org > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon | > +447549728105 > < > Cooked_DC28436 > -107_Ethernet_Concat > .ntar > > > < > Cooked_Dumpcap_SVN_28436 > .ntar > > > < > Ethernet_Dumpcap_SVN_28436 > .ntar > > > < > Ethernet_Wireshark_1.0.7 > .ntar > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
