tshark fails when reading from a pcapng file with IDBs following the first packet and writing it to another pcapng file
macOS 10.15.6 /usr/sbin/tcpdump defaults to reading from PKTAP in pcapng format. However, tshark 3.2.6 cannot read this format. Wireshark 3.2.6 reads the file just fine. Using tcpdump to read from ethernet interfaces en0 and en1 creates legacy pcap format files that work fine.
# /usr/sbin/tcpdump -w foo.pcap
tcpdump: data link type PKTAP
tcpdump: listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
^C332 packets captured
336 packets received by filter
0 packets dropped by kernel
# file foo.pcap
foo.pcap: pcapng capture file - version 1.0
# tshark -r foo.pcap -w bar.pcap
tshark: An error occurred while writing to the file "bar.pcap": Internal error.
# tshark --version
TShark (Wireshark) 3.2.6 (v3.2.6-0-g4f9257fb8ccc)
Copyright 1998-2020 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, without POSIX capabilities, with GLib 2.37.6,
with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with
GnuTLS 3.4.17, with Gcrypt 1.8.5, with MIT Kerberos, with MaxMind DB resolver,
with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with Snappy, with
libxml2 2.9.9.
Running on Mac OS X 10.15.6, build 19G2021 (Darwin 19.6.0), with Intel(R)
Core(TM) i7-6700K CPU @ 4.00GHz (with SSE4.2), with 40960 MB of physical memory,
with locale en_US.UTF-8, with libpcap version 1.9.1, with GnuTLS 3.4.17, with
Gcrypt 1.8.5, with brotli 1.0.7, with zlib 1.2.11, binary plugins supported (0
loaded).
Built using clang 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.16).
Edited by Guy Harris