Wireshark-users: Re: [Wireshark-users] wireshark 1.6+: pcapng NBR blocks
From: Jose Pedro Oliveira <jpo@xxxxxxxxxxxx>
Date: Wed, 07 Dec 2011 16:46:56 +0000
On 2011-12-07 06:34, Anders Broman wrote:
> Jose Pedro Oliveira skrev 2011-12-06 18:24:
>> Hi,
>>
>> According to the Wireshark 1.6 release notes [1], tshark is able
>> to read and write host name information from and to pcapng, but I
>> can't figure out how to make tshark create NBR blocks during, or at
>> the end, of a capture.
>>
>> A pcapng file created with tshark 1.7.1svn only seems to have
>> SHB, IDB, EPB and ISB blocks.
>>
>> Could someone give me a hint?
> For what it's worth this is the code changes that added the functionality
> http://anonsvn.wireshark.org/viewvc/trunk/tshark.c?r1=36077&r2=36318

Andres,

Thanks for the source code pointer.

Right now I'm still unable to have the NBR block(s) written to file even
when I use the "-W n" or "-H /etc/hosts" tshark command line options
(BTW: these options are only documented in the man page, i.e., they
aren't listed by the -h option). At least the very simple test program
- ntartest [1] - doesn't list it.

This also brings me to ask another question: what tools are people
using to dump/debug pcapng files (blocks, options, ...)?

 1) the ntartest program is too simple.

 2) the ntar library [2] appears to be more promising but is
    currently missing several plugins (at least for EPB, ISB,
    NBR blocks).
    It also appears to have frozen in time (no public source
    code repository available).

Regards,
jpo

[1] - Listed in the Wiki page
      http://wiki.wireshark.org/Development/PcapNg

[2] - http://www.winpcap.org/ntar/
-- 
José Pedro Oliveira
* mailto:jpo@xxxxxxxxxxxx *