This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark doesn’t work correctly with rvi0 on MacOS X 10.9.5

0

On MacOS X 10.9.4, Wireshark 1.12.1 (v1.12.1-0-g01b65bf from master-1.12) worked with rvi0 interface without any problems. After update to 10.9.5, I see just

Source=00.00.00
Dest. = 00.00.00
Protocol = FC
Info = Unknown frame (Bogus Fragment)

for any package on rvi0. Live capturing just stop working for rvi0. At the same time, Wireshark works ok with any other interfaces, as well as it parses tcpdump's out for rvi0 well.

Could you please tell what happened to live capturing on rvi0?

asked 24 Sep '14, 11:29

dimakovalenko's gravatar image

dimakovalenko
16115
accept rate: 0%


One Answer:

2

I suspect Apple "improved" the rvi mechanism in an incompatible fashion, breaking the DLT_PKTAP format.

Please file a bug on the Wireshark Bugzilla, and save one of the bad captures from 10.9.5 to a file and attach the file so we can see what the result of their "improvements" are.

UPDATE: no, based on the data in the bug you filed (thanks), we weren't using the header length field in the pktap header to determine where the packet payload was, and Apple made the PKTAP header bigger in 10.9.5, so we weren't correctly dissecting packets in captures done on 10.9.5. A fix has been checked in on the trunk and the 1.12 branch, so the 1.12.2 release, when it comes out, should be able to dissect the packets (and should be able to handle future lengthening of the PKTAP header).

answered 24 Sep '14, 17:05

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 25 Sep '14, 01:31

@Guy Harris: Thanks a lot for your support! Is there any workaround? E.g. to add something to Edit->Preferences->Protocols>DLT_USER->Edit Encapsulations Table? I am thinking about (temporary) using other network capturing tool, and then back to Wireshark 1.12.2. May be I should not do it because it's possible to fix the problem with some workaround right now?

(25 Sep '14, 03:58) dimakovalenko

You could try downloading the latest "Wireshark 1.12.2rc0 ... Intel 64.dmg" build from the automated build section of one of the Wireshark download sites. Go to https://www.wireshark.org/download/automated/osx/ and pick the most recent 1.12.2 Intel 64 build. Those builds have the fix.

(25 Sep '14, 11:57) Guy Harris ♦♦

https://www.wireshark.org/download/automated/osx/Wireshark%201.12.2rc0-32-gce0e169%20Intel%2064.dmg works just perfect! Thanks a lot! No need to temporary switch to other tool.

(26 Sep '14, 00:09) dimakovalenko