Re: A strange problem about Wireshark

[Hadriel Kaplan <hadrielk () yahoo com>]

In several places you use the ‘string’ method of the TvbRange object.  For example "h264tvb(2):string()”, and several 
other places.

My guess is your problem is a change in behavior of the TvbRange’s “string” method.  But I don’t know why you see the 
change in behavior in 1.10 - as far as I can tell 1.10 should behave the same as 1.8.  Internally they both call a 
C-function named “ tvb_get_ephemeral_string”, and I don’t think that function changed in 1.10 (it changed in 1.12 
however).

In 1.8, the “string” method produced a Lua string of the raw bytes of the TvbRange, because tvb_get_ephemeral_string 
assumed ASCII but didn’t change the character if it wasn’t ASCII (so in a sense, it just retrieved the raw bytes).  But 
in Wireshark 1.12 the “string” method produces a Lua string based on a string encoding of the bytes, with a default of 
ASCII, and when it finds non-ASCII characters it replaces them with unicode, and thus your output file would be 
different.  There’s still another way to get the raw bytes in 1.12, but you said 1.10 so that won’t help.

Are you sure it’s not Wireshark 1.12 (or 1.11) that’s giving you the problem?

For the version that’s giving you the problem, please run “tshark -v” (or go to wireshark’s help->about dialog) and 
copy what gets shown into a reply to this email.

-hadriel


> On Jun 24, 2015, at 5:01 AM, 老单 <1255768747 () qq com> wrote:
>
> Dear all,
> I am an Wiershark user from China. I put the attached file "h264.lua" into the installation directory of wiershark. 
> And set   "dofile(DATA_DIR.."h264.lua") " at the end of file of "init.lua".  Attached file "aa.pcap" is the capture 
> result of "some rtsp data".
>  
> The file "aa.pcap" is opened by Wireshark. From the "Tools" manue，we can choose "Export h264 to file", then the h264 
> raw data file from "aa.pcap" is given by wireshark. the file is attached as "new_wiershark_ver_over_1.10.x.h264" is 
> the raw h.264 data file. This file can't be play by VLC player.
>  
> However, the same file "aa.pcap" and the same file "h264.lua", using the same method, the raw h264 data file getting 
> from low version wireshark such as version 1.8.3 can be played by VLC directly. The raw h264 data is attached as 
> "wireshark_ver_1.8.3.h264".
>  
> I confused bye the raw h264 data file of different version of Wiershark. I don't know why cause the different 
> results. I find some HEX number 'ef bf bd ef bf bd " and so on was insert the raw data file. TVB is used in the 
> h264.lua to get raw data , Maybe the TVB 's difference of different wireshark version cause the result.
>  
> Can you help me?
> Thanks! 
>  
> <h264.lua><aa.pcap><new_wiershark_ver_over_1.10.x.h264><wireshark_ver_1.8.3.h264>___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe