This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

On MacOS X 10.9.4, Wireshark 1.12.1 (v1.12.1-0-g01b65bf from master-1.12) worked with rvi0 interface without any problems. After update to 10.9.5, I see just

Source=00.00.00
Dest. = 00.00.00
Protocol = FC
Info = Unknown frame (Bogus Fragment)

for any package on rvi0. Live capturing just stop working for rvi0. At the same time, Wireshark works ok with any other interfaces, as well as it parses tcpdump's out for rvi0 well.

Could you please tell what happened to live capturing on rvi0?

asked 24 Sep '14, 11:29

dimakovalenko's gravatar image

dimakovalenko
16115
accept rate: 0%


I suspect Apple "improved" the rvi mechanism in an incompatible fashion, breaking the DLT_PKTAP format.

Please file a bug on the Wireshark Bugzilla, and save one of the bad captures from 10.9.5 to a file and attach the file so we can see what the result of their "improvements" are.

UPDATE: no, based on the data in the bug you filed (thanks), we weren't using the header length field in the pktap header to determine where the packet payload was, and Apple made the PKTAP header bigger in 10.9.5, so we weren't correctly dissecting packets in captures done on 10.9.5. A fix has been checked in on the trunk and the 1.12 branch, so the 1.12.2 release, when it comes out, should be able to dissect the packets (and should be able to handle future lengthening of the PKTAP header).

permanent link

answered 24 Sep '14, 17:05

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 25 Sep '14, 01:31

@Guy Harris: Thanks a lot for your support! Is there any workaround? E.g. to add something to Edit->Preferences->Protocols>DLT_USER->Edit Encapsulations Table? I am thinking about (temporary) using other network capturing tool, and then back to Wireshark 1.12.2. May be I should not do it because it's possible to fix the problem with some workaround right now?

(25 Sep '14, 03:58) dimakovalenko

You could try downloading the latest "Wireshark 1.12.2rc0 ... Intel 64.dmg" build from the automated build section of one of the Wireshark download sites. Go to https://www.wireshark.org/download/automated/osx/ and pick the most recent 1.12.2 Intel 64 build. Those builds have the fix.

(25 Sep '14, 11:57) Guy Harris ♦♦

https://www.wireshark.org/download/automated/osx/Wireshark%201.12.2rc0-32-gce0e169%20Intel%2064.dmg works just perfect! Thanks a lot! No need to temporary switch to other tool.

(26 Sep '14, 00:09) dimakovalenko
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×53
×15
×6
×1

question asked: 24 Sep '14, 11:29

question was seen: 2,834 times

last updated: 26 Sep '14, 00:09

p​o​w​e​r​e​d by O​S​Q​A