Wireshark-dev: Re: [Wireshark-dev] Autodetection of file types
From: Stephen Fisher <[email protected]>
Date: Mon, 11 Jul 2011 17:42:44 -0600
On Fri, Jul 01, 2011 at 03:07:19PM +0000, Matt Godbolt wrote:

> From looking at the source, the packetlogger_open() call doesn't to 
> seem to be very restrictive - I can see how it could generate false 
> positives.  I can also see from file_access.c that packetlogger files 
> have sometimes been mis-identified as mpegs.

It has been over 2 years since I wrote the Packet Logger code, so I 
don't recall the details, but my original commit (r27463) had this 
comment in it: "This type does not have a magic number, but its files 
are sometimes grabbed by mpeg_open." when I put packetlogger_open above 
mpeg_open in wiretap/file_access.c.  The "fix" for now may just to move 
packetlogger_open further down again as you mentioned in your e-mail.

> Given how fragile this whole process is, would that be safe - and how 
> might I go about testing that I haven't broken anything else if I were 
> to do so?

In another wiretap file support that I wrote (CommView), I went possibly 
overboard in checking almost every value in the header such as dates to 
make sure they were between 1970 and 2038 and hours to make sure it was 
under 23, etc.  Something similar may need to be done with PacketLogger, 
although it apparently only has two fields in the header: len (length?) 
and ts (timestamp?).