Ethereal: [ethereal-dev] TCP Follow Save As

Ethereal-dev: August 2000

Subject: [ethereal-dev] TCP Follow Save As
From: Gilbert Ramirez <gram@xxxxxxxxxx>
Date: Fri, 04 Aug 2000 20:47:24 -0500

Today I took a trace of me sending a 10,000-byte file full of "A"
characters across a TCP socket using netcat. I did a "TCP Follow"
and used "Save As" to save the file. To my surprise, the file
had extra data in it.

I had never looked at the TCP follow code too closely; today I found
out that a tcp_stream_chunk struct is written out to the temporary
file in front of every TCP chunk. So, TCP Follow Save As, while useful,
is not perfect; it simply copies the temporary file to a new file,
with the tcp_stream_chunk headers.

To remedy this, I think I'll add these options to the TCP Follow
Save As dialogue box (as a radio button group):

	o Save x.x.x.x --> y.y.y.y
	o Save x.x.x.x <-- y.y.y.y
	o Save bidirectional

and then not do a file copy, but re-process the temporary file,
avoiding copying the headers.

The other option is to place a magic header in the file, so we know
it's an "Ethereal TCP Follow" file, and provide an extra utility
to extract the appropriate data from the file. But I don't like
that idea too much; I'd rather have it done from Ethereal's GUI.

Does anyone have any other ideas?

--gilbert

Follow-Ups:
- Re: [ethereal-dev] TCP Follow Save As
  - From: Laurent Deniel

Prev by Date: Re: [ethereal-dev] [PATCH] Some small improvements to the ICQ dissector
Next by Date: Re: [ethereal-dev] TCP Follow Save As
Previous by thread: Re: [ethereal-dev] [PATCH] Some small improvements to the ICQ dissector
Next by thread: Re: [ethereal-dev] TCP Follow Save As
Index(es):
- Date
- Thread