Ethereal-dev: [ethereal-dev] TCP Follow Save As

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Gilbert Ramirez <gram@xxxxxxxxxx>
Date: Fri, 04 Aug 2000 20:47:24 -0500
Today I took a trace of me sending a 10,000-byte file full of "A"
characters across a TCP socket using netcat. I did a "TCP Follow"
and used "Save As" to save the file. To my surprise, the file
had extra data in it.

I had never looked at the TCP follow code too closely; today I found
out that a tcp_stream_chunk struct is written out to the temporary
file in front of every TCP chunk. So, TCP Follow Save As, while useful,
is not perfect; it simply copies the temporary file to a new file,
with the tcp_stream_chunk headers.

To remedy this, I think I'll add these options to the TCP Follow
Save As dialogue box (as a radio button group):

	o Save x.x.x.x --> y.y.y.y
	o Save x.x.x.x <-- y.y.y.y
	o Save bidirectional

and then not do a file copy, but re-process the temporary file,
avoiding copying the headers.

The other option is to place a magic header in the file, so we know
it's an "Ethereal TCP Follow" file, and provide an extra utility
to extract the appropriate data from the file. But I don't like
that idea too much; I'd rather have it done from Ethereal's GUI.

Does anyone have any other ideas?

--gilbert