Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 566472

Summary: net-analyzer/wireshark-1.12.8-r1 - tshark saves tcp/ssl raw streams in ascii file, content unrecoverable
Product: Gentoo Linux Reporter: miro.rovis
Component: Current packagesAssignee: Gentoo Netmon project <netmon>
Status: RESOLVED UPSTREAM    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11750
Whiteboard:
Package list:
Runtime testing required: ---

Description miro.rovis 2015-11-22 14:41:24 UTC 
I think this is a bug, and I tried to post it on Wiresharks' bugzilla, but I couldn't do it, not with Dillo, not with Firefox.

tshark (net-analyzer/wireshark-1.12.8-r1) saves tcp/ssl raw streams in ascii
file, content unrecoverable

Since Wireshark 2.0.0 is not available in Gentoo yet, and since:

https://bugs.gentoo.org/show_bug.cgi?id=565152

I'm still using wireshark-1.12.8-r1

I explained this in (too much) detail in the thread starting from:

Wireshark-users] follow [tcp|ssl].stream with tshark 
https://www.wireshark.org/lists/wireshark-users/201511/msg00033.html 

and also on:
How to extract content from tshark-saved streams?
https://forums.gentoo.org/viewtopic-t-1033844.html

Mayve shorter now:

Download dump_150927_1848_g0n.pcap from
http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/

It all boils down to this command:

tshark -r dump_150927_1848_g0n.pcap -T fields -e data -qz follow,tcp,raw,9 \
 | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009.bin

producing an ascii file from which, in the least, it takes a wizard to extract content from, in comparison with perfectly recoverable content from the file that I saved with the Wireshark, and called it:

dump_150927_1848_g0n_s00009-W.bin

You can find both files, as I obtained them in my Wireshark on my Gentoo, as well as the extracted content from, surely only, the Wireshark-saved stream at:

http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/Add-151121/
(the extractable content being what I extracted and posted there as:
dump_150927_1848_g0n_s00009-W.js)

Reproducible: Always




Pls use attachment from othe bug report:

https://565152.bugs.gentoo.org/attachment.cgi?id=416302

for:

emerge --info

as it hasn't really changed.
Comment 1 miro.rovis 2015-11-22 16:09:04 UTC 
I managed to file a bug on this in Wireshark:

tshark saves raw stream in ascii file, content unrecoverable
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11750
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-22 19:28:39 UTC 
(In reply to miro.rovis from comment #0)
> I think this is a bug, and I tried to post it on Wiresharks' bugzilla, but I
> couldn't do it, not with Dillo, not with Firefox.

I don't see how Gentoo is responsible for wireshark's behaviour. If there is such a link, we should see upstream refer it back to us.

> Since Wireshark 2.0.0 is not available in Gentoo yet

commit 76079176be6a22502c25090057341fa96c93feb8
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Sat Nov 21 05:52:48 2015 +0100

    net-analyzer/wireshark: Version bump (bug #566180 by Pavel Půlpán).

    Package-Manager: portage-2.2.25

>, and since:

> https://bugs.gentoo.org/show_bug.cgi?id=565152

That was also referred upstream.