Red Hat Bugzilla – Bug 1238166
tshark -F option fails to create capture files in .pcap format.
Last modified: 2017-03-21 05:54:26 EDT
The similar issue in rhel-6, but with libpcap format. # tshark -i eth0 -F libpcap -w /tmp/tshark-capture-file -c 10 Running as user "root" and group "root". This could be dangerous. Capturing on eth0 10 # capinfos /tmp/tshark-capture-file File name: /tmp/tshark-capture-file File type: Wireshark - pcapng File encapsulation: Ethernet Packet size limit: file hdr: (not set) Number of packets: 10 File size: 1472 bytes Data size: 840 bytes Capture duration: 2 seconds Start time: Wed Jul 1 12:25:06 2015 End time: Wed Jul 1 12:25:08 2015 Data byte rate: 406.10 bytes/sec Data bit rate: 3248.82 bits/sec Average packet size: 84.00 bytes Average packet rate: 4.83 packets/sec SHA1: 98099a7bce5d27dd4a7e7d21e444ddf6e8ec49a8 RIPEMD160: 6cbcb141616115e984798f9b592ba96c1f650477 MD5: 4e25517d721daa77c4c3f83e0711af2e Strict time order: True # rpm -q wireshark wireshark-1.8.10-17.el6.x86_64 +++ This bug was initially created as a clone of Bug #1227199 +++ Description of problem: tshark utility fails to create files in .pcap format even if it being specified using "-F" option during capture. Version-Release number of selected component (if applicable): TShark 1.10.3 wireshark-1.10.3-12.el7_0.x86_64 How reproducible: When using tshark to capture packets over the interface. by default, the capatures are savedin .pcapng format. This can be changed using "-F <format>" option whils initiating a capture.The list of supported format can be checked using "tshark -F" command. It is noticed that in present RHEL7 shipped wireshark version, tshark fails to honor the option and continues to save the output file in .pcapng format. Steps to Reproduce: 1. start a capture using : tshark -i <interanme-name> -F pcap -w /tmp/abcd: ---- # tshark -i net1 -F pcap -w /tmp/example Running as user "root" and group "root". This could be dangerous. Capturing on 'net1' 137 ---- 2. Stop the capture and check the format information using : capinfos <file-name>: ---- # capinfos /tmp/example File name: /tmp/example File type: Wireshark/... - pcapng <<--- File encapsulation: Ethernet Packet size limit: file hdr: (not set) Number of packets: 137 File size: 24 kB Data size: 20 kB Capture duration: 5 seconds Start time: Tue Jun 2 12:07:55 2015 End time: Tue Jun 2 12:07:59 2015 Data byte rate: 4,180 bytes/s Data bit rate: 33 kbps Average packet size: 146.25 bytes Average packet rate: 28 packets/sec SHA1: 1c9c41f745a2fa1e391b63f43f2ec9ea418a2186 RIPEMD160: bbe2efec083f89231004436a960ac76378cdcde4 MD5: e40e074b6b757d6625e3985899eaea49 Strict time order: True ---- Actual results: The capture still gets save in pcapng format though "-F" option is used to specify the required pcap format. Expected results: The result should be saved honoring the "-F" option passed and created in pcap format. --- $ capinfos /tmp/example-2 File name: /tmp/example-2 File type: Wireshark/tcpdump/... - pcap File encapsulation: Ethernet --- Additional info: Upstream version of tshark/wireshark release has the required fix in place. It seems to work properly saving the file in required format: ----- $ rpm -qa | grep -i wireshark wireshark-devel-1.12.5-1.fc21.x86_64 wireshark-gnome-1.12.5-1.fc21.x86_64 wireshark-1.12.5-1.fc21.x86_64 $ tshark -v TShark 1.12.5 (Git Rev Unknown from unknown) $ tshark -i enp0s25 -F pcap -w /tmp/example-2 Running as user "root" and group "root". This could be dangerous. Capturing on 'enp0s25' 26 $ capinfos /tmp/example-2 File name: /tmp/example-2 File type: Wireshark/tcpdump/... - pcap File encapsulation: Ethernet Packet size limit: file hdr: 262144 bytes Number of packets: 26 File size: 3,362 bytes Data size: 2,922 bytes Capture duration: 3 seconds Start time: Wed Jun 3 12:11:35 2015 End time: Wed Jun 3 12:11:38 2015 Data byte rate: 867 bytes/s Data bit rate: 6,942 bits/s Average packet size: 112.38 bytes Average packet rate: 7 packets/sec SHA1: 28062eb2a66ad58196ae458da3fc1e55ea331b35 RIPEMD160: 6da4eb1a4cf84cbb86d1bedf4def564c65446139 MD5: d6027a4d8c33fc6af7a19e17a3493942 Strict time order: True ----- Reference upstream bugzilla : https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9991 --- Additional comment from Arvind iyengar on 2015-06-02 02:54:23 EDT --- Hello, With RHEL6 shipped wireshark version, the "-F" parameter does not have an option to save the ouput format in pcap: ---- # uname -a Linux axxo.ragemode.com 2.6.32-504.16.2.el6.x86_64 #1 SMP Tue Mar 10 17:01:00 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux # rpm -qa | grep -i wireshark* wireshark-gnome-1.8.10-8.el6_6.x86_64 wireshark-1.8.10-8.el6_6.x86_64 # tshark -F tshark: option requires an argument -- 'F' tshark: The available capture file types for the "-F" flag are: 5views - InfoVista 5View capture btsnoop - Symbian OS btsnoop commview - TamoSoft CommView dct2000 - Catapult DCT2000 trace (.out format) erf - Endace ERF capture eyesdn - EyeSDN USB S0/E1 ISDN trace format k12text - K12 text file lanalyzer - Novell LANalyzer libpcap - Wireshark/tcpdump/... - libpcap modlibpcap - Modified tcpdump - libpcap netmon1 - Microsoft NetMon 1.x netmon2 - Microsoft NetMon 2.x nettl - HP-UX nettl trace ngsniffer - NA Sniffer (DOS) ngwsniffer_1_1 - NA Sniffer (Windows) 1.1 ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x niobserver - Network Instruments Observer nokialibpcap - Nokia tcpdump - libpcap nseclibpcap - Wireshark - nanosecond libpcap nstrace10 - NetScaler Trace (Version 1.0) nstrace20 - NetScaler Trace (Version 2.0) pcapng - Wireshark - pcapng << rf5 - Tektronix K12xx 32-bit .rf5 format rh6_1libpcap - RedHat 6.1 tcpdump - libpcap snoop - Sun snoop suse6_3libpcap - SuSE 6.3 tcpdump - libpcap visual - Visual Networks traffic capture ---- The upstream bugzilla indicates the fix was added for 1.8 as well as 1.10 branches. -- Arvind
*** Bug 1254943 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2017-0631.html