Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 10588] New: tshark pdml output embeds "proto" elements within other "proto" el

Wireshark-bugs: [Wireshark-bugs] [Bug 10588] New: tshark pdml output embeds "proto" elements wit

Date: Sun, 19 Oct 2014 09:40:17 +0000

Bug ID	10588
Summary	tshark pdml output embeds "proto" elements within other "proto" elements
Product	Wireshark
Version	unspecified
Hardware	x86
OS	Linux (other)
Status	UNCONFIRMED
Severity	Normal
Priority	Low
Component	TShark
Assignee	bugzilla-admin@wireshark.org
Reporter	reg.trac.wireshark.5bHNz@fraggod.net

Created attachment 13180 [details]
Use with: tshark -T pdml -o 'uat:user_dlts:"User 0
(DLT=147)","rrc.dl.dcch","0","","0",""' -r embedded_proto_issue.pcap

Build Information:
TShark (Wireshark) 1.99.1 (v1.99.1rc0-226-g54dfe3b from master)

Copyright 1998-2014 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with libz 1.2.8, with GLib 2.40.0, without SMI, without c-ares, without ADNS,
with Lua 5.1, without GnuTLS, with Gcrypt 1.6.1, without Kerberos, without
GeoIP.

Running on Linux 3.14.22-fg.roam-amd, with locale en_GB.utf8, with libpcap
version 1.5.3, with libz 1.2.8, with Gcrypt 1.6.1.

Built using gcc 4.8.2.
--
When processing attached WCDMA RRC message with the following command:

  tshark -T pdml -o 'uat:user_dlts:"User 0
(DLT=147)","rrc.dl.dcch","0","","0",""' -r embedded_proto_issue.pcap

tshark produces output that not only has "proto" elements as a direct children
of "packet", but also "proto" elements that are children of "field" elements,
in this particular case even proto-within-proto-within-proto (ipcp within
gsm_a.dtap within rrc).

It was confirmed in a comment here that it's likely to be a bug:

 
https://ask.wireshark.org/questions/8803/tshark-pdml-output-embeds-a-section-within-another-section

And certainly an unexpected (at least from reading README.xml-output) behavior
for me (expected only "field" elements all the way down from "proto"), which
might be worth documenting there.

pdml in my case (attached pcap) seem to be well-formed xml (despite original
question in the link above).

Was able to reproduce the issue on both tshark built from current git (as per
Build Information) and stable 1.12.1.

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 10588] tshark pdml output embeds "proto" elements within other "proto" elements
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 10587] New: Buildbot crash output: fuzz-2014-10-18-20500.pcap
Next by Date: [Wireshark-bugs] [Bug 10589] New: Buildbot crash output: fuzz-2014-10-19-27191.pcap
Previous by thread: [Wireshark-bugs] [Bug 10587] Buildbot crash output: fuzz-2014-10-18-20500.pcap
Next by thread: [Wireshark-bugs] [Bug 10588] tshark pdml output embeds "proto" elements within other "proto" elements
Index(es):
- Date
- Thread