Saving pcap capture file with ERF encapsulation creates an invalid pcap file
This issue was migrated from bug 3606 in our old bug tracker.
Original bug information:
Reporter: Bill Meier
Status: RESOLVED FIXED
Product: Wireshark
Component: Capture file support (libwiretap)
OS: All
Platform: All
Version: Git
Attachments:
2253-more_than_8.pcap: ERF encapsulated pcap file
Activity
Build Information:
Wireshark: a. Open a file with ERF encapsulation; b. "Save As" selected packets (not the whole file since that will just copy the file); The output file format will be invalid. ("file has ... packet, bigger than maximum of 65535"). Using editcap with an input ERF encapsulated file will also produce a bad output file. (I'm assuming that this happens on all OS's although I've only tried Windows). (This is the cause of Bug #3569). I'll have a look-see at the code....added libwiretap versiondev labels
-
I'm going to leave this to someone who is familiar with ERF encapsulation. I've attached the ERF encapsulated file which was the original capture file used to generate the fuzzed file in Bug #3569. Re: > a. Open a file with ERF encapsulation; Actually: I don't know if there's something about this particular file causing a problem or whether the problem will occur with any ERF encapsulated file. -
*** Bug #3569 (closed) has been marked as a duplicate of this bug. ***
-
I think the problem here is that pcap_write_phdr() doesn't write out the erf extension headers. But even if they were written, these erf-encapsulated packets have more than 8 extension headers; however, the pseudo header seems to limit the number to 8, so the resulting file would have truncated the extension headers anyway, which isn't what you want.
To resolve these problems, I think it would be better to just eliminate the erf pseudo-header altogether and simply read in all the packet bytes and let the packet-erf dissector process the bytes as appropriate. Writing selected packets out to another file is then trivial. This is essentially what I've done recently for the USB pseudo header, and I think it works a lot better.
For example, the USB URB bytes are now highlighted when a field is selected whereas previously those bytes only resided in the pseudo-header and so couldn't be highlighted. Looking at the erf header, you don't see what bytes are associated with which header fields because they don't actually exist in the tvb but rather they're only in the pseudo header.
(See bug #4664 for more details on the USB changes that were made.)
BTW, is there an ERF specification available somewhere? The only thing I could find is here: http://homepages.laas.fr/owe/ZOO/Zoo_user_manual.pdf. Perhaps someone from Endace (http://www.endace.com/) could provide it or a link to it?
-
Change 15358 had a related patch set uploaded by Anthony Coddington: pcap-common: Fix several serious ENCAP_ERF extension header writing issues
-
Change 15359 had a related patch set uploaded by Anthony Coddington: pcap-common: Account for padding in ENCAP_ERF len and caplen
-
Change 15358 merged by Guy Harris: pcap-common: Fix several serious ENCAP_ERF extension header writing issues
-
Change 15393 had a related patch set uploaded by Guy Harris: pcap-common: Fix several serious ENCAP_ERF extension header writing issues
-
Change 15393 merged by Guy Harris: pcap-common: Fix several serious ENCAP_ERF extension header writing issues
-
Change 15394 had a related patch set uploaded by Guy Harris: pcap-common: Fix several serious ENCAP_ERF extension header writing issues
-
Change 15394 merged by Guy Harris: pcap-common: Fix several serious ENCAP_ERF extension header writing issues
-
Change 15428 had a related patch set uploaded by Michael Mann: pcap-common: Account for padding in ENCAP_ERF len and caplen