Ethereal-dev: [Ethereal-dev] EtherHelp packets almost readable - to fix -> change one byte
[Please CC me in replies as I am not subscribed to the list - and yes I
know, bad form, etc etc]
All,
Just banging my head against a wall trying to decode capture files
produced by an old version of etherpeek (called EtherHelp).
Although the doco says that I can open etherpeek files (and etherpeek does
open them), ethereal will not.
However, after opening the file in etherpeek, it changes the file and
resaves it without telling you!!!!
The result is that ethereal will now open the newly saved file (at least
some good comes out of violating my files without my consent!)
A quick diff shows that only the first byte of the file changes - and in a
well-formed manner, in that the first character of the etherhelp file is
char(135) (135=128+7) vs the first char of the etherpeek file which is
char(7)....
So, simple fix is to rip 128 from the ASCII value of the first char and
then open using the etherpeek filter :)
One line shell command to 'repair' all files in current directory (tested
only using cygwin so be careful as I delete the original file afterwards):
NOTE:^G is a single character, entered in shell using CTRL+V, followed
immediately by CTRL+G
wc -c *.pkt|while read FSIZE FNAME; do FSIZE=`expr $FSIZE - 1`;echo -n ^G
> $FNAME.cap;tail -c $FSIZE $FNAME >> $FNAME.cap;rm $FNAME;done
Just thought that someone should know, for reference.
Regards
dm0302
