Hi Guys, I have a pdml output file which is OK for all the IP, TCP, UDP etc but there is one protocol which does not get writen correctly. tshark puts a <proto></proto> section within another <proto></proto> section which makes it non XML compliant. Has anyone had this happen before? Any ideas how I can correct it? regards, Degsy asked 03 Feb '12, 02:45  Degsy |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
I haven't seen that happen myself. Are you able to share a file that exhibits this behavior? You could post it to CloudShark for people to look at.
Are you using any custom dissectors? What version of TShark is producing the PDML?
I can replicate described behavior with current wireshark git (54dfe3b9b68) without any custom dissectors. It doesn't break XML in my case, but differs from "fake protocol wrapper" fields that seem to be used in similar cases elsewhere.
As README.xml-output doesn't mention that it's possible for fields to contain "proto" elements, is it safe to assume it's a bug and that it should be reported as such?
If you have a capture file that exhibits the issue, go ahead and file a report at the Wireshark Bugzilla and attach the capture to the bug report.
Thanks. Filed it under https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10588