RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1238166 - tshark -F option fails to create capture files in .pcap format.
Summary: tshark -F option fails to create capture files in .pcap format.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: wireshark
Version: 6.8
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Martin Sehnoutka
QA Contact: Jaroslav Aster
URL:
Whiteboard:
Depends On:
Blocks: 1269194 1356054 1373253
TreeView+ depends on / blocked
 
Reported: 2015-07-01 10:28 UTC by Jaroslav Aster
Modified: 2020-03-11 14:55 UTC (History)
2 users (show)

Fixed In Version: wireshark-1.8.10-17.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1227199
Environment:
Last Closed: 2017-03-21 09:54:26 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0631 0 normal SHIPPED_LIVE Moderate: wireshark security and bug fix update 2017-03-21 12:29:55 UTC

Description Jaroslav Aster 2015-07-01 10:28:51 UTC
The similar issue in rhel-6, but with libpcap format.

# tshark -i eth0 -F libpcap -w /tmp/tshark-capture-file -c 10
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
10 

# capinfos /tmp/tshark-capture-file 
File name:           /tmp/tshark-capture-file
File type:           Wireshark - pcapng
File encapsulation:  Ethernet
Packet size limit:   file hdr: (not set)
Number of packets:   10
File size:           1472 bytes
Data size:           840 bytes
Capture duration:    2 seconds
Start time:          Wed Jul  1 12:25:06 2015
End time:            Wed Jul  1 12:25:08 2015
Data byte rate:      406.10 bytes/sec
Data bit rate:       3248.82 bits/sec
Average packet size: 84.00 bytes
Average packet rate: 4.83 packets/sec
SHA1:                98099a7bce5d27dd4a7e7d21e444ddf6e8ec49a8
RIPEMD160:           6cbcb141616115e984798f9b592ba96c1f650477
MD5:                 4e25517d721daa77c4c3f83e0711af2e
Strict time order:   True

# rpm -q wireshark
wireshark-1.8.10-17.el6.x86_64


+++ This bug was initially created as a clone of Bug #1227199 +++

Description of problem:
tshark utility fails to create files in .pcap format even if it being specified using "-F" option during capture. 

Version-Release number of selected component (if applicable):
TShark 1.10.3 
wireshark-1.10.3-12.el7_0.x86_64

How reproducible:

When using tshark to capture packets over the interface. by default, the capatures are savedin .pcapng format. This can be changed using "-F <format>" option whils initiating a capture.The list of supported format can be checked using "tshark -F" command. It is noticed that in present RHEL7 shipped wireshark version, tshark fails to honor the option and continues to save the output file in .pcapng format.

Steps to Reproduce:
1. start a capture using : tshark -i <interanme-name> -F pcap -w /tmp/abcd:
----
# tshark -i net1 -F pcap -w /tmp/example
Running as user "root" and group "root". This could be dangerous.
Capturing on 'net1'
137
----

2. Stop the capture and check the format information using : capinfos <file-name>:
----
# capinfos /tmp/example 
File name:           /tmp/example
File type:           Wireshark/... - pcapng  <<---
File encapsulation:  Ethernet
Packet size limit:   file hdr: (not set)
Number of packets:   137 
File size:           24 kB
Data size:           20 kB
Capture duration:    5 seconds
Start time:          Tue Jun  2 12:07:55 2015
End time:            Tue Jun  2 12:07:59 2015
Data byte rate:      4,180 bytes/s
Data bit rate:       33 kbps
Average packet size: 146.25 bytes
Average packet rate: 28 packets/sec
SHA1:                1c9c41f745a2fa1e391b63f43f2ec9ea418a2186
RIPEMD160:           bbe2efec083f89231004436a960ac76378cdcde4
MD5:                 e40e074b6b757d6625e3985899eaea49
Strict time order:   True
----

Actual results:
The capture still gets save in pcapng format though "-F" option is used to specify the required pcap format.

Expected results:
The result should be saved honoring the "-F" option passed and created in pcap format. 
---
 $ capinfos /tmp/example-2
File name:           /tmp/example-2
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Ethernet
--- 

Additional info: Upstream version of tshark/wireshark release has the required fix in place. It seems to work properly saving the file in required format: 
-----
$ rpm -qa | grep -i wireshark
wireshark-devel-1.12.5-1.fc21.x86_64
wireshark-gnome-1.12.5-1.fc21.x86_64
wireshark-1.12.5-1.fc21.x86_64

$ tshark -v
TShark 1.12.5 (Git Rev Unknown from unknown)

$ tshark -i enp0s25 -F pcap -w /tmp/example-2
Running as user "root" and group "root". This could be dangerous.
Capturing on 'enp0s25'
26 

$ capinfos /tmp/example-2
File name:           /tmp/example-2
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 262144 bytes
Number of packets:   26 
File size:           3,362 bytes
Data size:           2,922 bytes
Capture duration:    3 seconds
Start time:          Wed Jun  3 12:11:35 2015
End time:            Wed Jun  3 12:11:38 2015
Data byte rate:      867 bytes/s
Data bit rate:       6,942 bits/s
Average packet size: 112.38 bytes
Average packet rate: 7 packets/sec
SHA1:                28062eb2a66ad58196ae458da3fc1e55ea331b35
RIPEMD160:           6da4eb1a4cf84cbb86d1bedf4def564c65446139
MD5:                 d6027a4d8c33fc6af7a19e17a3493942
Strict time order:   True
-----

Reference upstream bugzilla : https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9991

--- Additional comment from Arvind iyengar on 2015-06-02 02:54:23 EDT ---

Hello, 

With RHEL6 shipped wireshark version, the "-F" parameter does not have an option to save the ouput format in pcap:

----
# uname -a 
Linux axxo.ragemode.com 2.6.32-504.16.2.el6.x86_64 #1 SMP Tue Mar 10 17:01:00 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

# rpm -qa | grep -i wireshark*
wireshark-gnome-1.8.10-8.el6_6.x86_64
wireshark-1.8.10-8.el6_6.x86_64

# tshark -F
tshark: option requires an argument -- 'F'
tshark: The available capture file types for the "-F" flag are:
    5views - InfoVista 5View capture
    btsnoop - Symbian OS btsnoop
    commview - TamoSoft CommView
    dct2000 - Catapult DCT2000 trace (.out format)
    erf - Endace ERF capture
    eyesdn - EyeSDN USB S0/E1 ISDN trace format
    k12text - K12 text file
    lanalyzer - Novell LANalyzer
    libpcap - Wireshark/tcpdump/... - libpcap
    modlibpcap - Modified tcpdump - libpcap
    netmon1 - Microsoft NetMon 1.x
    netmon2 - Microsoft NetMon 2.x
    nettl - HP-UX nettl trace
    ngsniffer - NA Sniffer (DOS)
    ngwsniffer_1_1 - NA Sniffer (Windows) 1.1
    ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x
    niobserver - Network Instruments Observer
    nokialibpcap - Nokia tcpdump - libpcap 
    nseclibpcap - Wireshark - nanosecond libpcap
    nstrace10 - NetScaler Trace (Version 1.0)
    nstrace20 - NetScaler Trace (Version 2.0)
    pcapng - Wireshark - pcapng  << 
    rf5 - Tektronix K12xx 32-bit .rf5 format
    rh6_1libpcap - RedHat 6.1 tcpdump - libpcap
    snoop - Sun snoop
    suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
    visual - Visual Networks traffic capture
----

The upstream bugzilla indicates the fix was added for 1.8 as well as 1.10 branches. 

--
Arvind

Comment 3 Martin Sehnoutka 2016-07-20 07:22:47 UTC
*** Bug 1254943 has been marked as a duplicate of this bug. ***

Comment 13 errata-xmlrpc 2017-03-21 09:54:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0631.html


Note You need to log in before you can comment on or make changes to this bug.