Wireshark-dev: [Wireshark-dev] Wiretap's mpeg decoder has weak magic for MPEG-PES
From: Stephen Fisher <[email protected]>
Date: Sun, 16 Nov 2008 19:38:39 -0700
One of the magic sequences in the wiretap mpeg decoder is pretty weak 
and is grabbing files that belong to a new wiretap decoder I'm writing.  
It is the sequence for MPEG-PES: 0x000001.  The problem is that I can't 
find any way to strengthen it without the possibility of breaking 
something.  The packet header (according to 
http://en.wikipedia.org/wiki/Packetized_Elementary_Stream) begins as follows:

Packet start code prefix	3 bytes		0x000001
Stream ID			1 byte		Examples: 0xC0-0xDF, 0xE0-0xEF
PES Packet Length		2 bytes		Can be zero(!)

I would match those stream ids, but I'm sure there are others floating 
around out there.  The packet length would work nicely if it couldn't be 
zero (".. as in not specified for video streams in transport streams.")

Any ideas?

P.S. The new wiretap decoder I've written reads in files from Apple's 
PacketLogger bluetooth data capture program.  It's available on MacOS X 
and comes with Xcode.