Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Tshark version problem #219
Ostinato 0.8 does not work well when importing pcap files : with new versions of wireshark/tshark (2.2.6 for me), hex dump part for ip version & header length is changed from x45 to x04, triggering some alerts from wireshark when replayed.
Thanks for correcting it.
Original report and associated discussion on the mailing list
For testing IPv4 and IPv6 header issues when importing pcap and pdml files, I'm enclosing icmp_packets.zip with the following contents:
It uses a non-zero DSCP value and the don't fragment bit (on IPv4) to test also these fields.
The tshark1 files are pdml generated by tshark v1.12.1, the tshark2 files are generated by tshark v2.2.7.
I've noticed two issues with tshark v2. But I've tested only the IPv4 and IPv6 header, maybe there are more differences in other protocol headers:
IPv4: The ip.version field contains only the high 4 bits, while in tshark v1 it contains the whole byte (including the header length). A quick and dirty fix is to use the ip.hdr_len field. That contains the whole byte in both tshark versions. It's dirty, because in future this field may contain only the lower 4 bits (only the length bits).
Here the patch:
IPv6: The traffic class field is named ipv6.class in tshark v1 and ipv6.tclass in tshark v2. My fix is to load both fields:
That's the idea. But on my ostinato machine I have only Wireshark v2 installed. So I tested the PCAP and PDML import with Wireshark v2. Furthermore I loaded the PDML files from Wireshark v1 (from another machine) und checked, that it was correctly imported.
So you might want to check with your Ostinato and Wireshark v1 if the attached PCAP files are loading correctly.
@ehlers Will check on my machine and Wireshark v1. Meanwhile I'm trying to find out when and why was this change made in Wireshark to try and see if it affects more than just IPv4/IPv6.
Stay tuned. If you don't hear from me in a couple of days, please bump this ticket.
Regarding IPv4 version and header length -
On June 18, 2014, IPv4 Version and Header Length were converted from byte value to bit values
On Apr 29, 2016, IPv4 Header Length was converted back to a byte value
This means some version(s) of Wireshark would work correctly and some won't. So it might be better for us to treat these two fields specially so that they work for all versions.
Regarding IPv6 traffic class -
As per the Wireshark IPv6 Display filter reference,
Mapping both these Wireshark fields to the same Ostinato field is effectively a OR and hence the proposed fix should be ok.
I'm now trying to see if there are other fields that also changed between 1.x and 2.x and once I have that info, we can take a final call on how to proceed with the fix(es).
Regarding the IPv4 version and header length:
For me it looks, as if the complete byte can be retrieved from the unmaskedvalue attribute, when only some bits are included in the value.
So perhaps you might first try to use the unmaskedvalue attribute of ip.version. When that doesn't exist, use the value attribute of ip.version.