Re: network monitor 3.4 traces cannot be read

[Guy Harris <guy () alum mit edu>]

On Jul 22, 2010, at 10:23 AM, DePriest, Jason R. wrote:

> Why does the problem only affect the dev versions of Wireshark?

Because in 1.2.x, Wireshark ignored the per-packet encapsulation field in newer file formats, whereas, in 1.3.x/1.4.x, 
it doesn't.  There are some files, and some packets, that can't be correctly handled if the per-packet encapsulation 
field is ignored (e.g., the frames where NetMon stores information about the capture).

Microsoft's documentation on the file format doesn't mention the possibility of a frame type being 0, so either

        1) the documentation is incomplete

or

        2) there's a bug and the frame type is being fetched from the wrong location.

We'd need a capture file to distinguish between 1) and 2) to test a fix.  (I'll ask Paul Long of the NetMon group if 
there's a case where, for example, the per-packet type will be 0.)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe