Bug#703563: tshark: uses wrong default output format, and cannot change output format

Wed, 20 Mar 2013 15:03:24 -0700 

Package: tshark
Version: 1.8.2-5wheezy1
Severity: important

Hi,

tshark's man page says:
   When writing packets to a file, TShark, by default, writes the file
   in libpcap format [..]
and also says:
   -F  <file format>
       Set the file format of the output capture file written using the
       -w option.  The output written with the -w option is raw packet
       data, not text, so there is no -F option to request text output.
       The option -F without a value will list the available formats.


However:
1) tshark uses the pcap-ng format, not the libpcap format.
2) the -F switch does not work.

The problem can be produced with:

$ sudo tshark -i lo -w - > f ; file f
[..]
f: pcap-ng capture file - version 1.0

$ sudo tshark -F libpcap -i lo -w - > f ; file f
[..]
f: pcap-ng capture file - version 1.0

In both cases, I would expect tshark to use the libpcap format, like
tcpdump:
$ sudo tcpdump -i lo -w - > f ; file f
[..]
f: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 
65535)


The version in experimental (1.9.1-1) is also affected.
The version in squeeze is not affected.


This breaks the "use tshark or dumpcap as a remote probe over SSH" use
case described in http://wiki.wireshark.org/CaptureSetup/Pipes :
$ wireshark -k -i <( ssh root@host tshark -i eth0 -w -)

Wireshark displays "Unrecognized libpcap format", since only libpcap
format is supported in that mode.

A workaround is to use tcpdump to capture packets on the remote host.

Lucas


-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (990, 'testing'), (800, 'stable'), (300, 'unstable'), (150, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages tshark depends on:
ii  libc6             2.13-38
ii  libglib2.0-0      2.33.12+really2.32.4-5
ii  libpcap0.8        1.3.0-1
ii  libwireshark2     1.8.2-5wheezy1
ii  libwiretap2       1.8.2-5wheezy1
ii  libwsutil2        1.9.1-1
ii  wireshark-common  1.8.2-5wheezy1
ii  zlib1g            1:1.2.7.dfsg-13

tshark recommends no packages.

tshark suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to