Wireshark-dev: Re: [Wireshark-dev] Question on text2pcap behaviour

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 1 May 2008 11:51:47 +0200

On Thu, May 01, 2008 at 12:36:16PM +0400, Abhik Sarkar wrote:
> Hi All,
> 
> I just ran into a small problem while using text2pcap and I wanted to
> know (before I attempt to fix it) whether this is a problem at all.
> 
> Let's say I have a text file with a single line as so (this is just an
> example, not actual payload):
> 00000000 30 31 32 33 34 35 36 37 38 39 0123456789
> 
> According to the comments in text2pcap.c, The text at the end is
> ignored. My interpretation of this is that the text at the end may or
> may not be present. Perhaps this interpretation is not quite right
> because, if I have a like like this (quotes added to clarify the
> situation):
> "00000000 30 31 32 33 34 35 36 37 38 39"
> the last byte is ignored. However, if the line is like this
> "00000000 30 31 32 33 34 35 36 37 38 39 "
> then it is parsed correctly.
> 
> Not having the text part in the end is useful sometimes because
> sometimes we get just a hex dump of the TCP payload (but without the
> text part in the end).

Have a look at bug 1723 which already has a patch to improve the
parsing of text2pcap. The author of the patch has not responded to
the latest comments of Richard though. Maybe we should take his work
and polish it for him?

(http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1723)

Cheers,
     Sake