Ask Your Question
0

dicom object extraction: discrepancy between tshark and wireshark

asked 2020-08-10 17:10:38 +0000

daje gravatar image

I noticed that if I extract dicom objects from a pcap file the result is different if Wireshark or Tshark is used. For Wireshark three dicom are extracted for each reassembled ID while for Tshark just one. For example, if I have a CT Image Storage Fragment (reassembled in #3721) with Wireshark I will have three files with #3721 while in Tshark just one. Can someone explain to me how come does it happen?

edit retag flag offensive close merge delete

Comments

Same versions in tshark -v and wireshark -v ? (oops - guess they would be in same path)
What is Wireshark version under Help -> About Wireshark ?

Chuckc gravatar imageChuckc ( 2020-08-10 17:20:40 +0000 )edit

Wish I had recorded tshark and wireshark versions in this question
Would like to assume they were same version but not sure - file sizes different for wireshark vs tshark.

Doing the extracts again with 3.2.5 show different file sizes for the same object export.
Before opening a bug, maybe someone that knows Dicom will chime in with an explanation.

Chuckc gravatar imageChuckc ( 2020-08-10 19:42:08 +0000 )edit

For version 3.2.5, files exported from test pcap are different:

DICOMparser ©2020, build 20200210, Rubo Medical Imaging BV, www.rubomedical.com
DICOM file: 'C:\Users\IEUser\Downloads\DICOM_Parser_Rubo\002804-1-Secondary-Capture-Image-Storage.dcm'

     TAG       VR        SIZE     NAME                                      DATA                                 
--snip--
(0002),(0002)  UI          30  Media Storage SOP Class UID                1.2.826.0.1.3680043.8.427.11.1
(0002),(0003)  UI          38  Media Storage SOP Instance UID             1.2.826.0.1.3680043.8.427.11.2.2804.1
(0002),(0010)  UI          22  Transfer Syntax UID                        1.2.840.10008.1.2.4.70
(0002),(0012)  UI          28  Implementation Class UID                   1.2.826.0.1.3680043.8.427.10
(0002),(0013)  SH          10  Implementation Version Name                WIRESHARK
(0008),(0005)  CS          10  Specific Character Set                     ISO_IR 100
(0008),(0016)  UI          26  SOP Class UID                              1.2.840.10008.5.1.4.1.1.7
(0008),(0018)  UI          54  SOP Instance UID ...
(more)
Chuckc gravatar imageChuckc ( 2020-08-10 19:46:31 +0000 )edit

Is it possible to test this with an older version (2.6.x, 3.0.x) of Wireshark and tshark or can you provide a pcap showing the issue?

Chuckc gravatar imageChuckc ( 2020-08-11 04:10:54 +0000 )edit

ops....you are right, I'm using two different versions of tshark(2.6) and wirteshark(3.2). I can repeat the test with Wireshark(2.6) and give you the results and the pcap file.

daje gravatar imagedaje ( 2020-08-11 07:56:14 +0000 )edit
see more comments

1 Answer

Sort by » oldest newest most voted
0

answered 2020-08-16 14:38:46 +0000

Chuckc gravatar image

Patches were merged in yesterday (200815)
Testing with Version 3.3.0rc0-1850-g521180d8d7ee (v3.3.0rc0-1850-g521180d8d7ee) from the automated builds
File names and checksums now match for objects exported from Wireshark Gui and tshark CLI.

The wiki is going through a platform migration and the roadmap dates are out of sync.
Old wiki shows 3.2.6 release date August 12.
New wiki shows:

3.2.6    September 23, 2020   Next maintenance release of the 3.2 branch

I think that would be 3.2.7 coming out in September.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-08-10 17:10:38 +0000

Seen: 331 times

Last updated: Aug 16 '20

Related questions

How do I change the interface on Tshark?

Tshark output file problem, saving to csv or txt

how to extract whole xml structure from soap envelope using tshark?

Why did file size become bigger after applying filtering on tshark?

Tshark output incomplete in real time

Using tshark to capture and Read filter at the same time

Capture from only one Port in wireshark and tshark

lua script for 80211ah

Wireshark 2.4.1 GTK Crash on long run

Why redirection of VoIP calls to voicemail fails?