Wireshark can't save this capture in that format
Summary
Wireshark is not able to save/export pcapng of a live capture done using packets comes from multiple fifos related to tcpdump and dumpcap instances. No problem if the different fifos come from:
- tcpdump instances only (even with mixed fixed and "any" interface)
- dumpcap instances only
- mixed tcpdump and dumpcap instances but using a fixed interface in tcpdump command instead of "any"
In my opinion the issue is the mixing of "Linux cooked-mode capture v1" link type comes from tcpdump with "any" interface and dumpcap.
Sample capture file
The pcapng attached (fifos_mixed_link_types.pcapng) has been created automatically by wireshark on /tmp folder. As you can see it's not possible to export packets or just save it again.
Steps to reproduce
- Create a fifo (
mkfifo first.fifo
) and push into packets comes from tcpdump using "any" as interface liketcpdump -i any -w - > first.fifo
- Create a second fifo (
mkfifo second.fifo
) and push into packets comes from dumpcap using fixed interface likedumpcap -i eth0 -w - > second.fifo
- Execute wireshark passing both fifos like:
wireshark -k -i first.fifo -i second.fifo
What is the current bug behavior?
It's not possible to export packets or save the trace. A popup is raised with a message as per subject.
What is the expected correct behavior?
Save the trace without problems
Build information
Wireshark 4.0.5 (v4.0.5-0-ge556162d8da3).
Copyright 1998-2023 Gerald Combs <gerald@wireshark.org> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using GCC 9.4.0, with GLib 2.64.6, with PCRE2, with zlib
1.2.11, with Qt 5.12.8, with libpcap, without POSIX capabilities, without libnl,
without Lua, without GnuTLS, with Gcrypt 1.8.5, without Kerberos, without
MaxMind, with nghttp2 1.40.0, without brotli, without LZ4, without Zstandard,
without Snappy, without libxml2, without libsmi, with QtMultimedia, without
automatic updates, with SpeexDSP (using bundled resampler), without Minizip,
with binary plugins.
Running on Linux 5.4.0-148-generic, with Intel(R) Core(TM) i5-5300U CPU @
2.30GHz (with SSE4.2), with 15884 MB of physical memory, with GLib 2.64.6, with
PCRE2 10.34 2019-11-21, with zlib 1.2.11, with Qt 5.12.8, with libpcap 1.9.1
(with TPACKET_V3), with c-ares 1.15.0, with Gcrypt 1.8.5, with nghttp2 1.40.0,
with LC_TYPE=en_US.UTF-8, binary plugins supported.