Wireshark mailing list archives
Re: Autodetection of file types
From: Stephen Fisher <steve () stephen-fisher com>
Date: Mon, 11 Jul 2011 17:42:44 -0600
On Fri, Jul 01, 2011 at 03:07:19PM +0000, Matt Godbolt wrote:
From looking at the source, the packetlogger_open() call doesn't to seem to be very restrictive - I can see how it could generate false positives. I can also see from file_access.c that packetlogger files have sometimes been mis-identified as mpegs.
It has been over 2 years since I wrote the Packet Logger code, so I don't recall the details, but my original commit (r27463) had this comment in it: "This type does not have a magic number, but its files are sometimes grabbed by mpeg_open." when I put packetlogger_open above mpeg_open in wiretap/file_access.c. The "fix" for now may just to move packetlogger_open further down again as you mentioned in your e-mail.
Given how fragile this whole process is, would that be safe - and how might I go about testing that I haven't broken anything else if I were to do so?
In another wiretap file support that I wrote (CommView), I went possibly overboard in checking almost every value in the header such as dates to make sure they were between 1970 and 2038 and hours to make sure it was under 23, etc. Something similar may need to be done with PacketLogger, although it apparently only has two fields in the header: len (length?) and ts (timestamp?). ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Autodetection of file types Matt Godbolt (Jul 02)
- Re: Autodetection of file types Guy Harris (Jul 02)
- Re: Autodetection of file types Stephen Fisher (Jul 11)