Wireshark mailing list archives
Re: mergecap truncated files
From: Guy Harris <guy () alum mit edu>
Date: Tue, 19 Jun 2018 00:20:28 -0700
On Jun 18, 2018, at 9:35 PM, Jaap Keuter <jaap.keuter () xs4all nl> wrote:
... so hardening against truncated files is already a feature of editcap, which could be extended to the other command line tools. Spitting out a line of stderr and keep going would be a possible course of action for mergecap.
I wouldn't call it "hardening"; it just means that the main processing loop of editcap is
while (reading a packet succeeds) {
process the packet
write the resulting packet out
}
if (it failed due to an error rather than an EOF)
report the error
rather than
while (reading a packet succeeds) {
process the packet
write the resulting packet out
}
if (it failed due to an error rather than an EOF) {
report the error
remove the file to which we were writing
}
just as the main reading loop of Wireshark is
while (reading a packet succeeds)
add the packet to the packet list
if (it failed due to an error rather than an EOF)
report the error
rather than
while (reading a packet succeeds)
add the packet to the packet list
if (it failed due to an error rather than an EOF) {
report the error
close the capture and revert to the splash window
}
What we could do is have the main loop of mergecap be
while (we think we still have packets to read) {
for (all files that haven't gotten an EOF or error and for which we don't have a packet buffered up) {
try to read a file from that packet;
if (that failed) {
if (it failed due to an error)
report the error;
mark the file as having gotten an EOF or error;
} else
note that we have a packet buffered up for that file;
}
for (all packets we have buffered up)
pick the appropriate packet, write it out, and note that we don't have a packet buffered up
from its file;
}
For TShark, the only pass for one-pass processing, and the first pass for two-pass processing is *already* something
like
while (reading a packet succeeds)
print stuff out from the packet
if (it failed due to an error rather than an EOF)
report the error
so all we'd need to do is make sure that, for two-pass processing, we don't skip the second pass if we got an error on
the first pass.
The same applies to capinfos, except capinfos doesn't have two-pass processing, so it probably doesn't need any change.
Thanks, Jaap ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- mergecap truncated files Catalin Patulea (Jun 18)
- Re: mergecap truncated files Guy Harris (Jun 18)
- Re: mergecap truncated files Jaap Keuter (Jun 18)
- Re: mergecap truncated files Guy Harris (Jun 19)
- Re: mergecap truncated files Jaap Keuter (Jun 19)
- Re: mergecap truncated files Jaap Keuter (Jun 18)
- Re: mergecap truncated files Guy Harris (Jun 18)