Wireshark-dev: [Wireshark-dev] Autodetection of file types
From: Matt Godbolt <[email protected]>
Date: Fri, 1 Jul 2011 15:07:19 +0000
Hi all,

I've just hit an issue where an Endace packet file (ERF) that I'm trying to load into wireshark is being incorrectly loaded as a "packetlogger" file type.

>From looking at the source, the packetlogger_open() call doesn't to seem to be very restrictive - I can see how it could generate false positives.  I can also see from file_access.c that packetlogger files have sometimes been mis-identified as mpegs.

An obvious solution would be to move the erf_open routine above packetlogger_open, which would also appear require moving netscreen_open above too (false positives there too)...

Given how fragile this whole process is, would that be safe - and how might I go about testing that I haven't broken anything else if I were to do so?

Failing all that; there's quite a simple way to detect ERFs (in the case that I'm seeing...) - relying on the '.erf' at the end of the filename. Presumably that's a no-go for other reasons.

Any ideas on this front gratefully appreciated,

Thanks, Matt
This e-mail and any attachments may contain information that is confidential and proprietary and otherwise protected from disclosure. If you are not the intended recipient of this e-mail, do not read, duplicate or redistribute it by any means. Please immediately delete it and any attachments and notify the sender that you have received it in error. Unintended recipients are prohibited from taking action on the basis of information in this e-mail or any attachments. The DRW Companies make no representations that this e-mail or any attachments are free of computer viruses or other defects.