Can't export dicom objects although present in pcap

asked 2020-07-10 13:01:27 +0000

daje gravatar image

I want to export a dicom object from pcap file, I can see with packet reassembly that the object is complete but when I try to export I get an empty list. Do I have data loss? If yes how can I see it?

edit retag flag offensive close merge delete

Comments

1

There is a preference setting dicom.export_minsize which has a default value of 4096.
Are the objects for export smaller than 4096? If so, adjust the preference setting.

prefs_register_uint_preference(dcm_module, "export_minsize",
   "Min. item size in bytes to export",
   "Do not show items below this size in the export list. "
   "Set it to 0, to see DICOM commands and responses in the list. "
   "Set it higher, to just export DICOM IODs (i.e. CT Images, RT Structures).", 10,
   &global_dcm_export_minsize);


The screen shot on the wiki is not current but does show minsize.

Chuckc gravatar imageChuckc ( 2020-07-10 14:46:50 +0000 )edit

You might need to share a pcap file in order for someone to be able to help here. It's not possible to upload capture files here, so this is usually done using something like Google Drive, OneDrive, DropBox, etc. It's possible there is a bug, and if so, a new bug report would need to be reported in the Wireshark bug tracker.

Note that there are 2 DICOM related bugs already filed, but I have no idea if they're related to this problem or not. For reference:

  1. Bug 13110 - Dissector skips DICOM command
  2. Bug 13388 - DICOM Disscetion in reassembled PDV goes wrong

But you should probably start out by supplying your Wireshark version information. If there was a bug, perhaps you're using an older version of Wireshark and it's already been fixed. Please paste output from Wireshark's Help -> About Wireshark -> Copy To Clipboard.

cmaynard gravatar imagecmaynard ( 2020-07-10 15:28:03 +0000 )edit

I discovered that Dicom packets were corrupted, there fore it was not possible to extract DICOM object. I think it is possible to close this issue

daje gravatar imagedaje ( 2020-07-15 12:00:01 +0000 )edit

Hello,

I have the same problem. I am using a CT with a port that is different from the default DICOM port 104. I can reconstruct the DICOMs from the pcap with Wireshark version 3.4.4 without any problems. But with tshark I do not get DICOM objects. My pcaps are always 500MB in size.

Is there already a solution for this?

Many greetings Dan

daloh gravatar imagedaloh ( 2021-06-07 16:07:03 +0000 )edit

Are you telling tshark what port (dicom.tcp.port) to look at for Dicom?
(Example in this question on old Q&A site)

Chuckc gravatar imageChuckc ( 2021-06-07 16:44:08 +0000 )edit
add a comment