On Feb 5, 2014, at 12:21 AM, Michal Labedzki <michal.labedzki@xxxxxxxxx> wrote:
> I am thinking about formats without any magic numbers - format that
> beginning with first packet, like binary Logcat/Logger
> (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8279) or raw
> media file like file contains only SBC frames (see "libsbc"), etc
> (formats without header).
>
> And fact that Wireshark do not only check magic bytes, but try all
> open routine
Wireshark *doesn't* try all open routines - once an open routine returns success, it stops.
And it tries the magic number ones before the heuristics (this is by design and is what is intended).
> is great feature (if magic bytes is ok, but payload is not)
If the magic number is OK, but they payload is not, the probability is extremely high that you have a corrupted file, and forcing Wireshark to treat the file as being of another file format won't help.
As far as I know, we've *never* had a problem with files of some non-magic-number format incorrectly being recognized as a file of some type with a magic number; all the problems we've seen have, not surprisingly, been with files that don't have magic numbers.
