Bug 1238166 - tshark -F option fails to create capture files in .pcap format.
Summary: tshark -F option fails to create capture files in .pcap format.
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: wireshark
Version: 6.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Martin Sehnoutka
QA Contact: Jaroslav Aster
Depends On:
Blocks: 1269194 1356054 1373253
TreeView+ depends on / blocked
Reported: 2015-07-01 10:28 UTC by Jaroslav Aster
Modified: 2017-03-21 09:54 UTC (History)
2 users (show)

Fixed In Version: wireshark-1.8.10-17.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1227199
Last Closed: 2017-03-21 09:54:26 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0631 normal SHIPPED_LIVE Moderate: wireshark security and bug fix update 2017-03-21 12:29:55 UTC

Description Jaroslav Aster 2015-07-01 10:28:51 UTC
The similar issue in rhel-6, but with libpcap format.

# tshark -i eth0 -F libpcap -w /tmp/tshark-capture-file -c 10
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0

# capinfos /tmp/tshark-capture-file 
File name:           /tmp/tshark-capture-file
File type:           Wireshark - pcapng
File encapsulation:  Ethernet
Packet size limit:   file hdr: (not set)
Number of packets:   10
File size:           1472 bytes
Data size:           840 bytes
Capture duration:    2 seconds
Start time:          Wed Jul  1 12:25:06 2015
End time:            Wed Jul  1 12:25:08 2015
Data byte rate:      406.10 bytes/sec
Data bit rate:       3248.82 bits/sec
Average packet size: 84.00 bytes
Average packet rate: 4.83 packets/sec
SHA1:                98099a7bce5d27dd4a7e7d21e444ddf6e8ec49a8
RIPEMD160:           6cbcb141616115e984798f9b592ba96c1f650477
MD5:                 4e25517d721daa77c4c3f83e0711af2e
Strict time order:   True

# rpm -q wireshark

+++ This bug was initially created as a clone of Bug #1227199 +++

Description of problem:
tshark utility fails to create files in .pcap format even if it being specified using "-F" option during capture. 

Version-Release number of selected component (if applicable):
TShark 1.10.3 

How reproducible:

When using tshark to capture packets over the interface. by default, the capatures are savedin .pcapng format. This can be changed using "-F <format>" option whils initiating a capture.The list of supported format can be checked using "tshark -F" command. It is noticed that in present RHEL7 shipped wireshark version, tshark fails to honor the option and continues to save the output file in .pcapng format.

Steps to Reproduce:
1. start a capture using : tshark -i <interanme-name> -F pcap -w /tmp/abcd:
# tshark -i net1 -F pcap -w /tmp/example
Running as user "root" and group "root". This could be dangerous.
Capturing on 'net1'

2. Stop the capture and check the format information using : capinfos <file-name>:
# capinfos /tmp/example 
File name:           /tmp/example
File type:           Wireshark/... - pcapng  <<---
File encapsulation:  Ethernet
Packet size limit:   file hdr: (not set)
Number of packets:   137 
File size:           24 kB
Data size:           20 kB
Capture duration:    5 seconds
Start time:          Tue Jun  2 12:07:55 2015
End time:            Tue Jun  2 12:07:59 2015
Data byte rate:      4,180 bytes/s
Data bit rate:       33 kbps
Average packet size: 146.25 bytes
Average packet rate: 28 packets/sec
SHA1:                1c9c41f745a2fa1e391b63f43f2ec9ea418a2186
RIPEMD160:           bbe2efec083f89231004436a960ac76378cdcde4
MD5:                 e40e074b6b757d6625e3985899eaea49
Strict time order:   True

Actual results:
The capture still gets save in pcapng format though "-F" option is used to specify the required pcap format.

Expected results:
The result should be saved honoring the "-F" option passed and created in pcap format. 
 $ capinfos /tmp/example-2
File name:           /tmp/example-2
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Ethernet

Additional info: Upstream version of tshark/wireshark release has the required fix in place. It seems to work properly saving the file in required format: 
$ rpm -qa | grep -i wireshark

$ tshark -v
TShark 1.12.5 (Git Rev Unknown from unknown)

$ tshark -i enp0s25 -F pcap -w /tmp/example-2
Running as user "root" and group "root". This could be dangerous.
Capturing on 'enp0s25'

$ capinfos /tmp/example-2
File name:           /tmp/example-2
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 262144 bytes
Number of packets:   26 
File size:           3,362 bytes
Data size:           2,922 bytes
Capture duration:    3 seconds
Start time:          Wed Jun  3 12:11:35 2015
End time:            Wed Jun  3 12:11:38 2015
Data byte rate:      867 bytes/s
Data bit rate:       6,942 bits/s
Average packet size: 112.38 bytes
Average packet rate: 7 packets/sec
SHA1:                28062eb2a66ad58196ae458da3fc1e55ea331b35
RIPEMD160:           6da4eb1a4cf84cbb86d1bedf4def564c65446139
MD5:                 d6027a4d8c33fc6af7a19e17a3493942
Strict time order:   True

Reference upstream bugzilla : https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9991

--- Additional comment from Arvind iyengar on 2015-06-02 02:54:23 EDT ---


With RHEL6 shipped wireshark version, the "-F" parameter does not have an option to save the ouput format in pcap:

# uname -a 
Linux axxo.ragemode.com 2.6.32-504.16.2.el6.x86_64 #1 SMP Tue Mar 10 17:01:00 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

# rpm -qa | grep -i wireshark*

# tshark -F
tshark: option requires an argument -- 'F'
tshark: The available capture file types for the "-F" flag are:
    5views - InfoVista 5View capture
    btsnoop - Symbian OS btsnoop
    commview - TamoSoft CommView
    dct2000 - Catapult DCT2000 trace (.out format)
    erf - Endace ERF capture
    eyesdn - EyeSDN USB S0/E1 ISDN trace format
    k12text - K12 text file
    lanalyzer - Novell LANalyzer
    libpcap - Wireshark/tcpdump/... - libpcap
    modlibpcap - Modified tcpdump - libpcap
    netmon1 - Microsoft NetMon 1.x
    netmon2 - Microsoft NetMon 2.x
    nettl - HP-UX nettl trace
    ngsniffer - NA Sniffer (DOS)
    ngwsniffer_1_1 - NA Sniffer (Windows) 1.1
    ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x
    niobserver - Network Instruments Observer
    nokialibpcap - Nokia tcpdump - libpcap 
    nseclibpcap - Wireshark - nanosecond libpcap
    nstrace10 - NetScaler Trace (Version 1.0)
    nstrace20 - NetScaler Trace (Version 2.0)
    pcapng - Wireshark - pcapng  << 
    rf5 - Tektronix K12xx 32-bit .rf5 format
    rh6_1libpcap - RedHat 6.1 tcpdump - libpcap
    snoop - Sun snoop
    suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
    visual - Visual Networks traffic capture

The upstream bugzilla indicates the fix was added for 1.8 as well as 1.10 branches. 


Comment 3 Martin Sehnoutka 2016-07-20 07:22:47 UTC
*** Bug 1254943 has been marked as a duplicate of this bug. ***

Comment 13 errata-xmlrpc 2017-03-21 09:54:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.