This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark (tshark) 2.3.0 export imf object error, a bug?

0

In this pcap file, if we use "tcp.stream eq 0" as the filter, save text of the stream to a .emf file, we will get a legal mail file.

If we use "imf" as the filter, copy text of the "Internet Message Format" and save it to a .emf file, open the emf file we saved, check the content of the attachment, we will find the picture is damaged.

If we use the "export object" to export the imf objects to file, the picture is damaged, too.

Here are the two eml files (ok.eml and error.eml), the content of this two files should be the same, but they are not. In the error.eml, we can read:alt text These text are not correct.

asked 27 Mar '17, 01:59

my3439955's gravatar image

my3439955
6113
accept rate: 0%

edited 27 Mar '17, 02:43


One Answer:

0

I took a look and it seems that the "Fast Retransmissions" are not handled well by the TCP protocol preference "Do not call subdissectors for error packets". This means they will end up in the IMF data. The "follow TCP stream" output does not contain the extra bytes as they are ignored based on the TCP sequence numbers.

Could you file a bug-report at https://bugs.wireshark.org for this? Please attach the file and my comments to the case. Thanks!

answered 27 Mar '17, 03:02

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I'll try what you told, thanks for answer

(27 Mar '17, 03:36) my3439955
(27 Mar '17, 04:20) my3439955

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(27 Mar '17, 08:30) Jaap ♦