Ethereal-dev: [Ethereal-dev] ETHEREAL bug in handling TR1 file format

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Rostislav Letos" <rletos@xxxxxxxxxxxxx>
Date: Thu, 26 Jun 2003 01:32:44 +0200
Hi there,

one of our customers has just found that ETHEREAL has a potential problem when reading packets from LANalyzer TR1 file format.
We looked into the issue, and it seems that for historical reason ETHEREAL decreases packet size which is stored in packet data record struct-0x1005 (assuming it includes FCS bytes) before reading packet data.
In case exact packet size (without FCS bytes) is stored there, only part of packet data is read by ETHEREAL, and packet analyse fails. Last 4 bytes from each packet are always missing in ETHEREAL window.

I know the old LANalyzer included FCS bytes here, but according to official TR1 file format documentation, this variable should keep length of stored packet data.
So I would clasify this as a bug in ETHEREAL.

The correct handling here should be to determine available packet data length by comparing this stored value with length counted from packet record (0x1005, record length-32bytes). This way you can avoid cutting 4 bytes from the packet in case exact packet length is stored there.

Can you please fix it in ETHEREAL ?
TR1 files generated by our NETMON for NetWare can be easily handled by LANalyzer or Sniffer, but not by your ETHEREAL.


Many thanks !

Rostislav Letos
ROLETOSoft