Wireshark-bugs: [Wireshark-bugs] [Bug 6937] pcapng: shd_userappl in newly created files
Date: Sun, 11 Mar 2012 12:15:25 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6937

--- Comment #3 from Anders Broman <anders.broman@xxxxxxxxxxxx> 2012-03-11 12:15:25 PDT ---
(In reply to comment #0)
> Build Information:
> TShark 1.7.1 (SVN Rev 41483 from /trunk)
> --
> Pcap-ng files created by Wiretap API based tools (tshark, editcap, and
> wireshark(?) at the moment) inherit the shb_userappl value from the source file
> and they shouldn't.

Why not? should SHB_USERAPPL show the application which wrote the actual file
or
the application which did the capture? I can se both having merrit.
If I have a capture file and add notes to it and re-save it having the original
SHB_USERAPPL would give me better information that it beeing overwritten by
Wireshark especially if the application is something other than dumpcap.
Same goes for splitting a file.

> 
> Notes:
>  * Most likely the source file has been created by dumpcap
>  * Dumpcap pcapio API writes nul-terminated strings values to the pcapng file;
>    the wiretap API doesn't; the files will differ (option length values,
> padding)
>    even if the new one is a copy of first one.

Yes, is that a problem? why?

> 
> Example:
> 
>  1) dumpcap ... -w first.pcapng
>  2) tshark ... -r first.pcapng -w new.pcapng
>     or
>     editcap ... first.pcapng new.pcapng

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.