On MacOS X 10.9.4, Wireshark 1.12.1 (v1.12.1-0-g01b65bf from master-1.12) worked with rvi0 interface without any problems. After update to 10.9.5, I see just
for any package on rvi0. Live capturing just stop working for rvi0. At the same time, Wireshark works ok with any other interfaces, as well as it parses tcpdump's out for rvi0 well.
Could you please tell what happened to live capturing on rvi0?
asked 24 Sep '14, 11:29
I suspect Apple "improved" the rvi mechanism in an incompatible fashion, breaking the DLT_PKTAP format.
Please file a bug on the Wireshark Bugzilla, and save one of the bad captures from 10.9.5 to a file and attach the file so we can see what the result of their "improvements" are.
UPDATE: no, based on the data in the bug you filed (thanks), we weren't using the header length field in the pktap header to determine where the packet payload was, and Apple made the PKTAP header bigger in 10.9.5, so we weren't correctly dissecting packets in captures done on 10.9.5. A fix has been checked in on the trunk and the 1.12 branch, so the 1.12.2 release, when it comes out, should be able to dissect the packets (and should be able to handle future lengthening of the PKTAP header).
answered 24 Sep '14, 17:05
Guy Harris ♦♦
edited 25 Sep '14, 01:31