Re: [Wireshark-dev] Question on text2pcap behaviour
Hi, Read the manual page very carefully: Text2pcap understands a hexdump of the form generated by od -Ax -tx1. In other words, each byte is individually displayed and surrounded with a space. That is also the problem with the patch discussed earlier, it doesn't really work in all cases. Thanx, Jaap Andy Lawman wrote: Abhik, text2pcap was designed to read hex dumps in od format ie: with a character representation of the data on the right. If, like me, you have to create a hex dump from some other source to act as input to text2pcap, then it's your responsibility to ensure that there's something on the right that acts as a place holder. I append .. which is sufficient for text2pcap. Andy. *Abhik Sarkar [EMAIL PROTECTED]* To wireshark-dev@wireshark.org cc bcc Subject [Wireshark-dev] Question on text2pcap behaviour *Abhik Sarkar [EMAIL PROTECTED]* Please respond to : Developer support list for Wireshark wireshark-dev@wireshark.org Sent by: [EMAIL PROTECTED] 01/05/2008 09:36 Hi All, I just ran into a small problem while using text2pcap and I wanted to know (before I attempt to fix it) whether this is a problem at all. Let's say I have a text file with a single line as so (this is just an example, not actual payload): 30 31 32 33 34 35 36 37 38 39 0123456789 According to the comments in text2pcap.c, The text at the end is ignored. My interpretation of this is that the text at the end may or may not be present. Perhaps this interpretation is not quite right because, if I have a like like this (quotes added to clarify the situation): 30 31 32 33 34 35 36 37 38 39 the last byte is ignored. However, if the line is like this 30 31 32 33 34 35 36 37 38 39 then it is parsed correctly. Not having the text part in the end is useful sometimes because sometimes we get just a hex dump of the TCP payload (but without the text part in the end). Thanks! Abhik. ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
[Wireshark-dev] Question on text2pcap behaviour
Hi All, I just ran into a small problem while using text2pcap and I wanted to know (before I attempt to fix it) whether this is a problem at all. Let's say I have a text file with a single line as so (this is just an example, not actual payload): 30 31 32 33 34 35 36 37 38 39 0123456789 According to the comments in text2pcap.c, The text at the end is ignored. My interpretation of this is that the text at the end may or may not be present. Perhaps this interpretation is not quite right because, if I have a like like this (quotes added to clarify the situation): 30 31 32 33 34 35 36 37 38 39 the last byte is ignored. However, if the line is like this 30 31 32 33 34 35 36 37 38 39 then it is parsed correctly. Not having the text part in the end is useful sometimes because sometimes we get just a hex dump of the TCP payload (but without the text part in the end). Thanks! Abhik. ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Question on text2pcap behaviour
On Thu, May 01, 2008 at 12:36:16PM +0400, Abhik Sarkar wrote: Hi All, I just ran into a small problem while using text2pcap and I wanted to know (before I attempt to fix it) whether this is a problem at all. Let's say I have a text file with a single line as so (this is just an example, not actual payload): 30 31 32 33 34 35 36 37 38 39 0123456789 According to the comments in text2pcap.c, The text at the end is ignored. My interpretation of this is that the text at the end may or may not be present. Perhaps this interpretation is not quite right because, if I have a like like this (quotes added to clarify the situation): 30 31 32 33 34 35 36 37 38 39 the last byte is ignored. However, if the line is like this 30 31 32 33 34 35 36 37 38 39 then it is parsed correctly. Not having the text part in the end is useful sometimes because sometimes we get just a hex dump of the TCP payload (but without the text part in the end). Have a look at bug 1723 which already has a patch to improve the parsing of text2pcap. The author of the patch has not responded to the latest comments of Richard though. Maybe we should take his work and polish it for him? (http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1723) Cheers, Sake ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Question on text2pcap behaviour
Abhik, text2pcap was designed to read hex dumps in od format ie: with a character representation of the data on the right. If, like me, you have to create a hex dump from some other source to act as input to text2pcap, then it's your responsibility to ensure that there's something on the right that acts as a place holder. I append .. which is sufficient for text2pcap. Andy. Abhik Sarkar [EMAIL PROTECTED] To wireshark-dev@wireshark.org cc bcc Subject [Wireshark-dev] Question on text2pcap behaviour Abhik Sarkar [EMAIL PROTECTED] Please respond to : Developer support list for Wireshark wireshark-dev@wireshark.org Sent by: [EMAIL PROTECTED] 01/05/2008 09:36 Hi All, I just ran into a small problem while using text2pcap and I wanted to know (before I attempt to fix it) whether this is a problem at all. Let's say I have a text file with a single line as so (this is just an example, not actual payload): 30 31 32 33 34 35 36 37 38 39 0123456789 According to the comments in text2pcap.c, The text at the end is ignored. My interpretation of this is that the text at the end may or may not be present. Perhaps this interpretation is not quite right because, if I have a like like this (quotes added to clarify the situation): 30 31 32 33 34 35 36 37 38 39 the last byte is ignored. However, if the line is like this 30 31 32 33 34 35 36 37 38 39 then it is parsed correctly. Not having the text part in the end is useful sometimes because sometimes we get just a hex dump of the TCP payload (but without the text part in the end). Thanks! Abhik. ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the addressee/s above. It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws. If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system. Amadeus Services Ltd, World Business Centre 3, 1208 Newall Road, Hounslow, Middlesex, TW6 2TA, Registered number 4040059___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Question on text2pcap behaviour
Abhik Sarkar wrote: On Thu, May 1, 2008 at 1:51 PM, Sake Blok [EMAIL PROTECTED] wrote: Have a look at bug 1723 which already has a patch to improve the parsing of text2pcap. The author of the patch has not responded to the latest comments of Richard though. Maybe we should take his work and polish it for him? (http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1723) Cheers, Sake Thanks for the pointer, Sake! I will have a look at it and see if it fixes the issue I have and also if I can do anything to incorporate Richard's comments into the patch (unless Jack is already working on it but hasn't had the time to finishing the 'polishing'). Thanks Abhik. I suspect the guy that originally posted the patch lost the will to work on it any further after nothing happened for three months... If you could polish up his patch a bit more, that would be fabulous. On a side note (not /neccessarily/ something i expect you to do anything about, Abhik), it would be fabulous if text2pcap had some tests... just some sample input and expected output such that we can check there aren't any regressions as patches get applied. This is true of much of our code... there aren't enough tests for my liking. How do others feel about this? Cheers Richard ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Question on text2pcap behaviour
On Thu, May 1, 2008 at 2:38 PM, Andy Lawman [EMAIL PROTECTED] wrote: Abhik, text2pcap was designed to read hex dumps in od format ie: with a character representation of the data on the right. If, like me, you have to create a hex dump from some other source to act as input to text2pcap, then it's your responsibility to ensure that there's something on the right that acts as a place holder. I append .. which is sufficient for text2pcap. Andy. Thanks Andy... if that's how it was meant to be, then I'll take your tip (or the shorter path of just adding the space in the end ;-) On Thu, May 1, 2008 at 3:08 PM, Richard van der Hoff [EMAIL PROTECTED] wrote: Thanks Abhik. I suspect the guy that originally posted the patch lost the will to work on it any further after nothing happened for three months... If you could polish up his patch a bit more, that would be fabulous. On a side note (not /neccessarily/ something i expect you to do anything about, Abhik), it would be fabulous if text2pcap had some tests... just some sample input and expected output such that we can check there aren't any regressions as patches get applied. This is true of much of our code... there aren't enough tests for my liking. How do others feel about this? Perhaps I have bitten off a bit more than I can chew here, but it will be a learning experience for me if I can do this... so I take the challenge :-) If someone beats me to it, I don't mind of course. Regards, Abhik ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Question on text2pcap behaviour
Abhik, Because it was designed to read dumps in od format, I think that text2pcap expects something that it will ignore on the right. The current version might accept a trailing blank, but I don't think that's guaranteed to work; it sounds more like a bug that someone might fix. Andy. Abhik Sarkar [EMAIL PROTECTED] To Developer support list for Wireshark wireshark-dev@wireshark.org cc bcc Subject Re: [Wireshark-dev] Question on text2pcap behaviour Abhik Sarkar [EMAIL PROTECTED] Please respond to : Developer support list for Wireshark wireshark-dev@wireshark.org Sent by: [EMAIL PROTECTED] 01/05/2008 12:36 On Thu, May 1, 2008 at 2:38 PM, Andy Lawman [EMAIL PROTECTED] wrote: Abhik, text2pcap was designed to read hex dumps in od format ie: with a character representation of the data on the right. If, like me, you have to create a hex dump from some other source to act as input to text2pcap, then it's your responsibility to ensure that there's something on the right that acts as a place holder. I append .. which is sufficient for text2pcap. Andy. Thanks Andy... if that's how it was meant to be, then I'll take your tip (or the shorter path of just adding the space in the end ;-) On Thu, May 1, 2008 at 3:08 PM, Richard van der Hoff [EMAIL PROTECTED] wrote: Thanks Abhik. I suspect the guy that originally posted the patch lost the will to work on it any further after nothing happened for three months... If you could polish up his patch a bit more, that would be fabulous. On a side note (not /neccessarily/ something i expect you to do anything about, Abhik), it would be fabulous if text2pcap had some tests... just some sample input and expected output such that we can check there aren't any regressions as patches get applied. This is true of much of our code... there aren't enough tests for my liking. How do others feel about this? Perhaps I have bitten off a bit more than I can chew here, but it will be a learning experience for me if I can do this... so I take the challenge :-) If someone beats me to it, I don't mind of course. Regards, Abhik ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the addressee/s above. It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws. If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system. Amadeus Services Ltd, World Business Centre 3, 1208 Newall Road, Hounslow, Middlesex, TW6 2TA, Registered number 4040059___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
