Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 566472 - net-analyzer/wireshark-1.12.8-r1 - tshark saves tcp/ssl raw streams in ascii file, content unrecoverable
Summary: net-analyzer/wireshark-1.12.8-r1 - tshark saves tcp/ssl raw streams in ascii ...
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Netmon Herd
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-22 14:41 UTC by miro.rovis
Modified: 2015-11-22 19:29 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description miro.rovis 2015-11-22 14:41:24 UTC
I think this is a bug, and I tried to post it on Wiresharks' bugzilla, but I couldn't do it, not with Dillo, not with Firefox.

tshark (net-analyzer/wireshark-1.12.8-r1) saves tcp/ssl raw streams in ascii
file, content unrecoverable

Since Wireshark 2.0.0 is not available in Gentoo yet, and since:

https://bugs.gentoo.org/show_bug.cgi?id=565152

I'm still using wireshark-1.12.8-r1

I explained this in (too much) detail in the thread starting from:

Wireshark-users] follow [tcp|ssl].stream with tshark 
https://www.wireshark.org/lists/wireshark-users/201511/msg00033.html 

and also on:
How to extract content from tshark-saved streams?
https://forums.gentoo.org/viewtopic-t-1033844.html

Mayve shorter now:

Download dump_150927_1848_g0n.pcap from
http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/

It all boils down to this command:

tshark -r dump_150927_1848_g0n.pcap -T fields -e data -qz follow,tcp,raw,9 \
 | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009.bin

producing an ascii file from which, in the least, it takes a wizard to extract content from, in comparison with perfectly recoverable content from the file that I saved with the Wireshark, and called it:

dump_150927_1848_g0n_s00009-W.bin

You can find both files, as I obtained them in my Wireshark on my Gentoo, as well as the extracted content from, surely only, the Wireshark-saved stream at:

http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/Add-151121/
(the extractable content being what I extracted and posted there as:
dump_150927_1848_g0n_s00009-W.js)

Reproducible: Always




Pls use attachment from othe bug report:

https://565152.bugs.gentoo.org/attachment.cgi?id=416302

for:

emerge --info

as it hasn't really changed.
Comment 1 miro.rovis 2015-11-22 16:09:04 UTC
I managed to file a bug on this in Wireshark:

tshark saves raw stream in ascii file, content unrecoverable
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11750
Comment 2 Jeroen Roovers gentoo-dev 2015-11-22 19:28:39 UTC
(In reply to miro.rovis from comment #0)
> I think this is a bug, and I tried to post it on Wiresharks' bugzilla, but I
> couldn't do it, not with Dillo, not with Firefox.

I don't see how Gentoo is responsible for wireshark's behaviour. If there is such a link, we should see upstream refer it back to us.

> Since Wireshark 2.0.0 is not available in Gentoo yet

commit 76079176be6a22502c25090057341fa96c93feb8
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Sat Nov 21 05:52:48 2015 +0100

    net-analyzer/wireshark: Version bump (bug #566180 by Pavel Půlpán).

    Package-Manager: portage-2.2.25

>, and since:

> https://bugs.gentoo.org/show_bug.cgi?id=565152

That was also referred upstream.