What is "Export PDUs to File..." intended to do?

Discussion:

Guy Harris

2014-07-16 01:05:19 UTC

Currently, it writes something to a temporary file, and then closes the current file and reads the new file in.

1) What do the four choices it offers mean? I tried it with "OSI Layer 3" on an HTTP capture and no packets were written.

2) Why does it replace the current capture, rather than writing out to a new file with a specified name? That's not what I'd expect a menu item that begins with "Export" to do.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Pascal Quantin

2014-07-16 05:55:51 UTC

Permalink

Post by Guy Harris
Currently, it writes something to a temporary file, and then closes the current file and reads the new file in.
1) What do the four choices it offers mean? I tried it with "OSI Layer 3" on an HTTP capture and no packets were written.

The idea is to strip the lower layers or create a new pcap with the
deciphered payload for example.
As of today, if you select "OSI layer 3" it will export PDUs from IPSec
and SCTP. If you select "OSI layer 7", it will export the (eventually
deciphered) payload for credssp, diameter, DTLS, reload, SIP and SSL.
This is not a generic export (each dissector needs to register a tap if
it wants the functionality) so I'm not surprised that applying it on
HTTP did not export any packet. We did not come up with a meaningful
name so far explaining what it is doing. The "Logcat" and "DVB-CI"
exports are easier to understand :) I would be OK to create a
"deciphered" entry and more application oriented selections (like SIP or
diameter) but Anders was not found of it.

Post by Guy Harris
2) Why does it replace the current capture, rather than writing out to a new file with a specified name? That's not what I'd expect a menu item that begins with "Export" to do.

I *think* the idea was to be able to visualize the output immediately.
If you are happy with it you can save the new capture. If you are not,
you can close the file and reopen the previous capture. It the parent
capture is not saved, you get a popup dialog asking you whether you want
to save it or not, avoiding to lose any data.

Pascal.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Guy Harris

2014-07-16 09:59:31 UTC

Permalink

Post by Pascal Quantin

The idea is to strip the lower layers or create a new pcap with the
deciphered payload for example.
As of today, if you select "OSI layer 3" it will export PDUs from IPSec
and SCTP.

Those aren't the only protocols in the universe at the transport layer - and I'm not sure IPSec is a transport-layer protocol.

Perhaps it should say "IPSec and SCTP" instead?

Post by Pascal Quantin
If you select "OSI layer 7", it will export the (eventually
deciphered) payload for credssp, diameter, DTLS, reload, SIP and SSL.

Ditto.

Post by Pascal Quantin

Post by Guy Harris
2) Why does it replace the current capture, rather than writing out to a new file with a specified name? That's not what I'd expect a menu item that begins with "Export" to do.

If that's the intent, it should probably have a name other than "Export PDUs to File", as, unlike the other operations that begin with "Export", it has a side-effect of closing the current file and opening and reading a new file.

(If we supported having multiple files open in the same process, perhaps it should open a new window with the new file.)
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Anders Broman

2014-07-17 15:59:56 UTC

Permalink

-----Original Message-----
From: wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org [mailto:wireshark-users-***@wireshark.org] On Behalf Of Guy Harris
Sent: den 16 juli 2014 12:00
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] What is "Export PDUs to File..." intended to do?

Post by Pascal Quantin

The idea is to strip the lower layers or create a new pcap with the
deciphered payload for example.
As of today, if you select "OSI layer 3" it will export PDUs from
IPSec and SCTP.

Those aren't the only protocols in the universe at the transport layer - and I'm not sure IPSec is a transport-layer protocol.

Perhaps it should say "IPSec and SCTP" instead?

That may be come long winded if more protocols are added...

Post by Pascal Quantin
If you select "OSI layer 7", it will export the (eventually
deciphered) payload for credssp, diameter, DTLS, reload, SIP and SSL.

Ditto.

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe