Timestamp info is not saved correctly when writing DOS Sniffer files

This issue was migrated from bug 7998 in our old bug tracker.

Original bug information:

Reporter: john dite
Status: RESOLVED FIXED
Product: Wireshark
Component: Capture file support (libwiretap)
OS: All
Platform: All
Version: 1.8.3

Attachments:

BEFORE_SAMPLE_CAPTURE.zip: BEFORE SAMPLE CAPTURE
AFTER_SAMPLE_CAPTURE.zip: AFTER SAMPLE CAPTURE
ATLAS_FTAM_TCP_TRACE_2012110713400115.pcap: BEFORE SAMPLE CAPTURE (unzipped)
ATLAS_FTAM_TCP_TRACE_PORT_61042.TRC: AFTER SAMPLE CAPTURE (unzipped)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Child items 0

No child items are currently assigned. Use child items to break down this issue into smaller parts.

I want to extract the details of a specific TCP/IP connection from a larger trace by using the "Exported specified packets" functionality (Packet Range = Displayed). When I analyse the extracted trace the time information in the new saved trace does NOT reflect the original trace. Time in original trace of SYN packet : Arrival Time: Nov 7, 2012 13:41:05.501837000 Westeuropäische Normalzeit Time in extracted trace of SYN packet: Arrival Time: Jan 13, 1980 09:45:55.526654426 Westeuropäische Normalzeit John

The "BEFORE SAMPLE CAPTURE" file, ATLAS_FTAM_TCP_TRACE_2012110713400115.TRC, was, the ".TRC" notwithstanding, a pcap file. The "AFTER SAMPLE CAPTURE" file, however, is a (DOS) Sniffer file; did you deliberately choose that output format? There appears to be a bug in the code that writes out (DOS) Sniffer files; I can reproduce this, on OS X, with a version of Wireshark built from the top of the 1.8 branch, just using "Save As", and *can't* reproduce it with the same version of Wireshark, doing "Export Specified Packets" with your filter, when writing out a pcap file.

An incorrect check for time stamps that won't fit in a DOS date was being done. Fixed in revision 46387 in the trunk, and backported to the 1.8 branch. You probably don't want to save a capture in DOS Sniffer format unless you're going to feed it to a program that can't read any other format that Wireshark can write, however. If Wireshark *defaults* to DOS Sniffer format when writing out packets from a pcap file, rather than defaulting to pcap format, please file a *separate* bug.

Created attachment 9631 AFTER SAMPLE CAPTURE (unzipped) Attach the contents of the AFTER SAMPLE CAPTURE zipball as well, so that *it* can (possibly) show up in the menagerie (to test the DOS Sniffer file reading code, at least).

(In reply to comment #8) > > You probably don't want to save a capture in DOS Sniffer format unless > > you're going to feed it to a program that can't read any other format that > > Wireshark can write, however. > > Basically I used to use > File=>Save As=>Packet Range (Displayed Packets) in Version 1.6.8 but that > function does not seem available in Version 1.8.4, that was the reason for > using File=>Export Specified Packets. File -> Save As, prior to 1.8, performed two separate functions: 1) save an unsaved capture, with the result of the save becoming the current capture file; 2) write out a (possibly improper) subset of packets to a separate file. In 1.8, captures can be edited, so the Save/Save As functionality was changed to work the way it does with other editing programs - File -> Save saves the current state of the capture to the current file, and File -> Save As saves the current state of the capture to a new file and makes that file the current file. That's function 1). Function 2) was moved into File -> Export Specified Packets, so it's the same as the old File -> Save As for all cases where you don't save all the packets. > I never used to associate a file ending (such as .trc) with a specific > format, as I used get tcpdump trace files with this file extension. It never > seemed an issue in the past using the old method for saving trace files. Now > with the "Export Specified Packets" function I realize a conversion takes > place. There is not supposed to be any difference between File -> Save As, prior to 1.8, and File -> Export Specified Packets, in 1.8.0 and later, with regards to whether a conversion takes place. Perhaps the Windows version of Wireshark is seeing ".trc" and thinking it refers to the DOS Sniffer .trc ("Token Ring Capture") suffix rather than one of the many suffixes people use for pcap files ("TRaCe file", presumably), and defaulting to DOS Sniffer format. (I didn't see that on my machine, but I'm not running Windows, and the code paths for saving on Windows and UN*X are not completely the same.) If saving a pcap file with a .trc suffix, either with File -> Save As or File -> Export Specified Packets, defaults to saving it in DOS Sniffer format in 1.8.x, please file a separate bug on that (as it's a separate problem, and should be tracked and fixed separately).

(In reply to comment #9) > If saving a pcap file with a .trc suffix, either with File -> Save As or > File -> Export Specified Packets, defaults to saving it in DOS Sniffer > format in 1.8.x, please file a separate bug on that (as it's a separate > problem, and should be tracked and fixed separately). That might the way it's supposed to work on Windows, based on the way the Windows 7 version of WordPad works. If, in the Save As dialog, I select RTF as the file format (RTF is the default) but specify a file name of Document.txt, a dialog pops up saying You are about to save the document in a Text-Only format, which will remove all formatting. Are you sure you want to do this? To save in other format, click No. and if I click "Yes" it writes the file out as plain text rather than RTF. I would recommend using .pcap rather than .trc as the file extension for pcap-format captures (and using .pcapng for pcap-ng-format captures); yes, it's 4 characters, but, well, 1995 was 17 years ago.... Let Wireshark supply the extension (it'll pick the appropriate one) rather than supplying one yourself.

Timestamp info is not saved correctly when writing DOS Sniffer files

Activity