Ask Your Question

dicom object extraction: discrepancy between tshark and wireshark

asked 2020-08-10 17:10:38 +0000

daje gravatar image

I noticed that if I extract dicom objects from a pcap file the result is different if Wireshark or Tshark is used. For Wireshark three dicom are extracted for each reassembled ID while for Tshark just one. For example, if I have a CT Image Storage Fragment (reassembled in #3721) with Wireshark I will have three files with #3721 while in Tshark just one. Can someone explain to me how come does it happen?

edit retag flag offensive close merge delete


Same versions in tshark -v and wireshark -v ? (oops - guess they would be in same path)
What is Wireshark version under Help -> About Wireshark ?

Chuckc gravatar imageChuckc ( 2020-08-10 17:20:40 +0000 )edit

Wish I had recorded tshark and wireshark versions in this question
Would like to assume they were same version but not sure - file sizes different for wireshark vs tshark.

Doing the extracts again with 3.2.5 show different file sizes for the same object export.
Before opening a bug, maybe someone that knows Dicom will chime in with an explanation.

Chuckc gravatar imageChuckc ( 2020-08-10 19:42:08 +0000 )edit

For version 3.2.5, files exported from test pcap are different:

DICOMparser ©2020, build 20200210, Rubo Medical Imaging BV,
DICOM file: 'C:\Users\IEUser\Downloads\DICOM_Parser_Rubo\002804-1-Secondary-Capture-Image-Storage.dcm'

     TAG       VR        SIZE     NAME                                      DATA                                 
(0002),(0002)  UI          30  Media Storage SOP Class UID                1.2.826.0.1.3680043.8.427.11.1
(0002),(0003)  UI          38  Media Storage SOP Instance UID             1.2.826.0.1.3680043.8.427.11.2.2804.1
(0002),(0010)  UI          22  Transfer Syntax UID                        1.2.840.10008.
(0002),(0012)  UI          28  Implementation Class UID                   1.2.826.0.1.3680043.8.427.10
(0002),(0013)  SH          10  Implementation Version Name                WIRESHARK
(0008),(0005)  CS          10  Specific Character Set                     ISO_IR 100
(0008),(0016)  UI          26  SOP Class UID                              1.2.840.10008.
(0008),(0018)  UI          54  SOP Instance UID ...
Chuckc gravatar imageChuckc ( 2020-08-10 19:46:31 +0000 )edit

Is it possible to test this with an older version (2.6.x, 3.0.x) of Wireshark and tshark or can you provide a pcap showing the issue?

Chuckc gravatar imageChuckc ( 2020-08-11 04:10:54 +0000 )edit are right, I'm using two different versions of tshark(2.6) and wirteshark(3.2). I can repeat the test with Wireshark(2.6) and give you the results and the pcap file.

daje gravatar imagedaje ( 2020-08-11 07:56:14 +0000 )edit

1 Answer

Sort by » oldest newest most voted

answered 2020-08-16 14:38:46 +0000

Chuckc gravatar image

Patches were merged in yesterday (200815)
Testing with Version 3.3.0rc0-1850-g521180d8d7ee (v3.3.0rc0-1850-g521180d8d7ee) from the automated builds
File names and checksums now match for objects exported from Wireshark Gui and tshark CLI.

The wiki is going through a platform migration and the roadmap dates are out of sync.
Old wiki shows 3.2.6 release date August 12.
New wiki shows:

3.2.6    September 23, 2020   Next maintenance release of the 3.2 branch

I think that would be 3.2.7 coming out in September.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-08-10 17:10:38 +0000

Seen: 56 times

Last updated: Aug 16