Wireshark-bugs: [Wireshark-bugs] [Bug 5240] Patch to editcap to allow chop from beginning of pac
Date: Tue, 21 Sep 2010 12:19:48 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5240

--- Comment #5 from Jason Masker <jason@xxxxxxxxxx> 2010-09-21 12:19:47 PDT ---
(In reply to comment #3)
> How does this interact with -C <choplen>
> Where's the manual page change?

I added documentation to the patch. I did not change the behavior of -C in
adding -P and the options could be used together. Using -C and -P we could
decapsulate a protocol with a trailer, such as Ethernet, but I cannot think of
one that would be practical at the moment. (Decapsulating Ethernet would not be
useful because Wireshark will not understand the encapsulated protocol without
the Ethernet header.) -P takes an offset from the beginning of the packet and
-C from the end. -P is processed first, but -C will still chop from the end of
the actual packet if the beginning has already been chopped by -P. Both -P & -C
have a sanity check to ensure the entire packet is not chopped. Because -P is
processed first, if insane parameters are passed, this could mean that -P will
succeed and -C will not chop because it would eliminate what remains of the
packet. This seems reasonable, but if there are other checks that would be
appropriate, or a more clear way to document this behavior, I could make the
necessary modifications.

ERSPAN is a very useful capture technology, allowing a capture to be sent to
any IP destination. For example, I often set up captures ad hoc and pass them
to my laptop, running Wireshark with an 'ip proto 0x2f' capture filter to get a
clean capture wherever I might be connected to the network. However, it is
often useful to convert the resulting file to a format that is more in line
with what would come off the wire and understood by more tools.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.