Bug 1238166

Summary:	tshark -F option fails to create capture files in .pcap format.
Product:	Red Hat Enterprise Linux 6	Reporter:	Jaroslav Aster <jaster>
Component:	wireshark	Assignee:	Martin Sehnoutka <msehnout>
Status:	CLOSED ERRATA	QA Contact:	Jaroslav Aster <jaster>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	6.8	CC:	aiyengar, thozza
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	wireshark-1.8.10-17.el6	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:	1227199	Environment:
Last Closed:	2017-03-21 09:54:26 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1269194, 1356054, 1373253

Description Jaroslav Aster 2015-07-01 10:28:51 UTC

The similar issue in rhel-6, but with libpcap format.

# tshark -i eth0 -F libpcap -w /tmp/tshark-capture-file -c 10
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
10 

# capinfos /tmp/tshark-capture-file 
File name:           /tmp/tshark-capture-file
File type:           Wireshark - pcapng
File encapsulation:  Ethernet
Packet size limit:   file hdr: (not set)
Number of packets:   10
File size:           1472 bytes
Data size:           840 bytes
Capture duration:    2 seconds
Start time:          Wed Jul  1 12:25:06 2015
End time:            Wed Jul  1 12:25:08 2015
Data byte rate:      406.10 bytes/sec
Data bit rate:       3248.82 bits/sec
Average packet size: 84.00 bytes
Average packet rate: 4.83 packets/sec
SHA1:                98099a7bce5d27dd4a7e7d21e444ddf6e8ec49a8
RIPEMD160:           6cbcb141616115e984798f9b592ba96c1f650477
MD5:                 4e25517d721daa77c4c3f83e0711af2e
Strict time order:   True

# rpm -q wireshark
wireshark-1.8.10-17.el6.x86_64


+++ This bug was initially created as a clone of Bug #1227199 +++

Description of problem:
tshark utility fails to create files in .pcap format even if it being specified using "-F" option during capture. 

Version-Release number of selected component (if applicable):
TShark 1.10.3 
wireshark-1.10.3-12.el7_0.x86_64

How reproducible:

When using tshark to capture packets over the interface. by default, the capatures are savedin .pcapng format. This can be changed using "-F <format>" option whils initiating a capture.The list of supported format can be checked using "tshark -F" command. It is noticed that in present RHEL7 shipped wireshark version, tshark fails to honor the option and continues to save the output file in .pcapng format.

Steps to Reproduce:
1. start a capture using : tshark -i <interanme-name> -F pcap -w /tmp/abcd:
----
# tshark -i net1 -F pcap -w /tmp/example
Running as user "root" and group "root". This could be dangerous.
Capturing on 'net1'
137
----

2. Stop the capture and check the format information using : capinfos <file-name>:
----
# capinfos /tmp/example 
File name:           /tmp/example
File type:           Wireshark/... - pcapng  <<---
File encapsulation:  Ethernet
Packet size limit:   file hdr: (not set)
Number of packets:   137 
File size:           24 kB
Data size:           20 kB
Capture duration:    5 seconds
Start time:          Tue Jun  2 12:07:55 2015
End time:            Tue Jun  2 12:07:59 2015
Data byte rate:      4,180 bytes/s
Data bit rate:       33 kbps
Average packet size: 146.25 bytes
Average packet rate: 28 packets/sec
SHA1:                1c9c41f745a2fa1e391b63f43f2ec9ea418a2186
RIPEMD160:           bbe2efec083f89231004436a960ac76378cdcde4
MD5:                 e40e074b6b757d6625e3985899eaea49
Strict time order:   True
----

Actual results:
The capture still gets save in pcapng format though "-F" option is used to specify the required pcap format.

Expected results:
The result should be saved honoring the "-F" option passed and created in pcap format. 
---
 $ capinfos /tmp/example-2
File name:           /tmp/example-2
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Ethernet
--- 

Additional info: Upstream version of tshark/wireshark release has the required fix in place. It seems to work properly saving the file in required format: 
-----
$ rpm -qa | grep -i wireshark
wireshark-devel-1.12.5-1.fc21.x86_64
wireshark-gnome-1.12.5-1.fc21.x86_64
wireshark-1.12.5-1.fc21.x86_64

$ tshark -v
TShark 1.12.5 (Git Rev Unknown from unknown)

$ tshark -i enp0s25 -F pcap -w /tmp/example-2
Running as user "root" and group "root". This could be dangerous.
Capturing on 'enp0s25'
26 

$ capinfos /tmp/example-2
File name:           /tmp/example-2
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 262144 bytes
Number of packets:   26 
File size:           3,362 bytes
Data size:           2,922 bytes
Capture duration:    3 seconds
Start time:          Wed Jun  3 12:11:35 2015
End time:            Wed Jun  3 12:11:38 2015
Data byte rate:      867 bytes/s
Data bit rate:       6,942 bits/s
Average packet size: 112.38 bytes
Average packet rate: 7 packets/sec
SHA1:                28062eb2a66ad58196ae458da3fc1e55ea331b35
RIPEMD160:           6da4eb1a4cf84cbb86d1bedf4def564c65446139
MD5:                 d6027a4d8c33fc6af7a19e17a3493942
Strict time order:   True
-----

Reference upstream bugzilla : https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9991

--- Additional comment from Arvind iyengar on 2015-06-02 02:54:23 EDT ---

Hello, 

With RHEL6 shipped wireshark version, the "-F" parameter does not have an option to save the ouput format in pcap:

----
# uname -a 
Linux axxo.ragemode.com 2.6.32-504.16.2.el6.x86_64 #1 SMP Tue Mar 10 17:01:00 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

# rpm -qa | grep -i wireshark*
wireshark-gnome-1.8.10-8.el6_6.x86_64
wireshark-1.8.10-8.el6_6.x86_64

# tshark -F
tshark: option requires an argument -- 'F'
tshark: The available capture file types for the "-F" flag are:
    5views - InfoVista 5View capture
    btsnoop - Symbian OS btsnoop
    commview - TamoSoft CommView
    dct2000 - Catapult DCT2000 trace (.out format)
    erf - Endace ERF capture
    eyesdn - EyeSDN USB S0/E1 ISDN trace format
    k12text - K12 text file
    lanalyzer - Novell LANalyzer
    libpcap - Wireshark/tcpdump/... - libpcap
    modlibpcap - Modified tcpdump - libpcap
    netmon1 - Microsoft NetMon 1.x
    netmon2 - Microsoft NetMon 2.x
    nettl - HP-UX nettl trace
    ngsniffer - NA Sniffer (DOS)
    ngwsniffer_1_1 - NA Sniffer (Windows) 1.1
    ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x
    niobserver - Network Instruments Observer
    nokialibpcap - Nokia tcpdump - libpcap 
    nseclibpcap - Wireshark - nanosecond libpcap
    nstrace10 - NetScaler Trace (Version 1.0)
    nstrace20 - NetScaler Trace (Version 2.0)
    pcapng - Wireshark - pcapng  << 
    rf5 - Tektronix K12xx 32-bit .rf5 format
    rh6_1libpcap - RedHat 6.1 tcpdump - libpcap
    snoop - Sun snoop
    suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
    visual - Visual Networks traffic capture
----

The upstream bugzilla indicates the fix was added for 1.8 as well as 1.10 branches. 

--
Arvind

Comment 3 Martin Sehnoutka 2016-07-20 07:22:47 UTC

*** Bug 1254943 has been marked as a duplicate of this bug. ***

Comment 13 errata-xmlrpc 2017-03-21 09:54:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0631.html