Re: Omnivorous Shark

[Guy Harris <guy () alum mit edu>]

On Feb 5, 2014, at 12:21 AM, Michal Labedzki <michal.labedzki () tieto com> wrote:

> I am thinking about formats without any magic numbers - format that
> beginning with first packet, like binary Logcat/Logger
> (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8279) or raw
> media file like file contains only SBC frames (see "libsbc"), etc
> (formats without header).
>
> And fact that Wireshark do not only check magic bytes, but try all
> open routine

Wireshark *doesn't* try all open routines - once an open routine returns success, it stops.

And it tries the magic number ones before the heuristics (this is by design and is what is intended).

> is great feature (if magic bytes is ok, but payload is not)

If the magic number is OK, but they payload is not, the probability is extremely high that you have a corrupted file, 
and forcing Wireshark to treat the file as being of another file format won't help.

As far as I know, we've *never* had a problem with files of some non-magic-number format incorrectly being recognized 
as a file of some type with a magic number; all the problems we've seen have, not surprisingly, been with files that 
don't have magic numbers.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe