Wireshark · Ethereal-dev: Re: [Ethereal-dev] text2pcap with Timecodes - Patch Files

[Guy Harris <gharris@xxxxxxxxx>]

On Thu, Nov 22, 2001 at 08:14:44PM -0000, Gordon McKinney wrote:
> Here are the patches to enable text2pcap to parse time codes. I have also
> enclosed an example capture file.

Unfortunately, your capture file demonstrates that text2pcap is very
badly buggy (and your changes don't introduce the bug, the bug's been
there since Day One) - it parses the following packet dump, which is one
of the captures from your sample, *very* incorrectly:

22/11/2001 20:03:24.9218
0000	 21 45 00 01 C9 26 33 40 00 80 06 C5 E2 9E 98 47	!E...&3@.......G
0010	 D2 41 D0 E4 DE 06 A2 00 50 34 B9 19 75 88 05 A0	.A......P4..u...
0020	 22 50 18 44 70 AA 81 00 00 47 45 54 20 2F 20 48	"P.Dp....GET / H
0030	 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A	TTP/1.1..Accept:
0040	 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61 67	 image/gif, imag
0050	 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D 61	e/x-xbitmap, ima
0060	 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F 70	ge/jpeg, image/p
0070	 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69 6F	jpeg, applicatio
0080	 6E 2F 76 6E 64 2E 6D 73 2D 70 6F 77 65 72 70 6F	n/vnd.ms-powerpo
0090	 69 6E 74 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E	int, application
00A0	 2F 76 6E 64 2E 6D 73 2D 65 78 63 65 6C 2C 20 61	/vnd.ms-excel, a
00B0	 70 70 6C 69 63 61 74 69 6F 6E 2F 6D 73 77 6F 72	pplication/mswor
00C0	 64 2C 20 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D 4C	d, */*..Accept-L
00D0	 61 6E 67 75 61 67 65 3A 20 65 6E 2D 67 62 0D 0A	anguage: en-gb..
00E0	 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A	Accept-Encoding:
00F0	 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A	 gzip, deflate..
0100	 49 66 2D 4D 6F 64 69 66 69 65 64 2D 53 69 6E 63	If-Modified-Sinc
0110	 65 3A 20 46 72 69 2C 20 31 36 20 4E 6F 76 20 32	e: Fri, 16 Nov 2
0120	 30 30 31 20 31 35 3A 30 34 3A 35 31 20 47 4D 54	001 15:04:51 GMT
0130	 0D 0A 49 66 2D 4E 6F 6E 65 2D 4D 61 74 63 68 3A	..If-None-Match:
0140	 20 22 31 62 66 33 33 2D 32 32 32 62 2D 33 62 66	 "1bf33-222b-3bf
0150	 35 32 62 31 33 22 0D 0A 55 73 65 72 2D 41 67 65	52b13"..User-Age
0160	 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20	nt: Mozilla/4.0 
0170	 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49	(compatible; MSI
0180	 45 20 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E	E 6.0; Windows N
0190	 54 20 35 2E 30 29 0D 0A 48 6F 73 74 3A 20 77 77	T 5.0)..Host: ww
01A0	 77 2E 65 74 68 65 72 65 61 6C 2E 63 6F 6D 0D 0A	w.ethereal.com..
01B0	 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70	Connection: Keep
01C0	 2D 41 6C 69 76 65 0D 0A 0D 0A                  	-Alive....      

Given that it does not know whether it's in the middle of processing the
ASCII text part of a text dump or not, it thinks that the last token in
the line

00A0	 2F 76 6E 64 2E 6D 73 2D 65 78 63 65 6C 2C 20 61	/vnd.ms-excel, a

is a single hex digit "a" followed by a newline - which it thinks is an
offset!

It really needs to be fixed so that, as long as it's processing what it
thinks it's text, it thinks *EVERYTHING* is text - not offsets, not
binary data, not *ANYTHING* else - until it sees a line ending.