https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3895
--- Comment #4 from Bill Meier <wmeier@xxxxxxxxxxx> 2010-01-10 08:32:07 PST ---
(In reply to comment #3)
>
> Here is a small test file to reproduce the issue. To reproduce it, open the
> file, select File->Save As, choose All Packets (Displayed), keep the default
> file format of Nokia tcpdump. When you open the resulting file, it will show
> up as corrupted. I think this is because Wireshark is zeroing out the extra
> 32-bit value in the Nokia IPSO header.
Wireshark isn't able to read files it saves in "Nokia" format because the
heuristic Wireshark uses to detect Nokia format files breaks if in a Nokia file
the extra 32-bit value is 0.
This could be fixed by adding some additional validation to the heuristic but
I'm hesitant to do so since this would be a change to code used to read and
validate all libpcap format files to fix a minor problem.
I'll leave this to Guy Harris to decide (he's the expert).
The possible additional validation to wiretap/libpcap.c libpcap_read_header():
Do either or both of the following tests:
a. Consider a capture file corrupt if in the per-packet header either
hdr->hdr.orig_len or (hdr->hdr.incl_len has a value of 0.
b. Consider a capture file corrupt if in the per-packet header
hdr->hdr.orig_len < (hdr->hdr.incl_len.
PS: File->Save As -> All Packets/Captures works because in this case Wireshark
just copies the file (if the format isn't being changed).
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
